The Linux
auditd daemon captures events from the Linux kernel and records the entries in a log file for inspection. The auditd log entries are based on a set of rules that specify which events are defined in the log files. Auditing is disabled by default. To modify the default audit rules, edit the
/etc/audit/audit.rules file.
About this task
To enable auditing, perform the following steps.
NOTE You can also use the YaST tool to enable and disable auditing.
Steps
Connect to the
PowerProtect Data Manager console and change to the root user.
To start
auditd, type one of the following commands:
Continuous logging—systemctl enable auditd
Log until system restart—
service auditd start
NOTE To disable continuous auditd logging, type
systemctl disable auditd. To stop
auditd, type
service auditd stop
To review auditd log entries, review the files in the
/var/log/audit/audit.log directory.
NOTE The
/var/log/audit/audit.log directory is limited to five files, and log rotation occurs when the file size reaches 6 MB. To modify the default configuration, edit the
/etc/audit/auditd.conf file, where:
num_logs—Specifies how many log files to concurrently retain in the directory.
max_log_file—Specifies the maximum log file size in MB.
max_log_file_action— Instructs the
auditd daemon to rotate the log files when the log files reach the maximum size.
Do not modify other parameters unless specifically instructed to do so by Support.
To produce a summary report from the audit logs, type
aureport --summary
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\