~~NOCACHE~~
## 54.ログ管理-auditd.conf

### auditd.confの設定方法
<sxh bash; gutter:True;>
#変更
vi /etc/audit/auditd.conf

#適用(systemctlだとエラーがでる)
service auditd restart
</sxh>

### auditd.confの設定詳細
特別な要件がない限り初期値から変更しなくて良い。
https://qiita.com/Brutus/items/7ec3d06adf6af6ca24b7

### audit.logを見やすく表示するコマンド
<sxh bash; gutter:True;>
awk 'match($0,/[0-9]+/){print strftime("%c",substr($0,RSTART,RLENGTH)),$0}' /var/log/audit/audit.log
</sxh>

### 初期値
<sxh bash; gutter:True>
#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 400
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
</sxh>

{{tag>AWS RHEL 実践的}}