I'm using CentOS 7. trying to view auditd
logs in journalctl
When I try journalctl -u auditd
I see the following output:
-- Logs begin at Wed 2018-09-05 08:59:19 EDT, end at Wed 2018-09-19 15:01:01 EDT. --
Sep 05 12:59:25 centos7 systemd[1]: Starting Security Auditing Service...
Sep 05 12:59:25 centos7 auditd[563]: Started dispatcher: /sbin/audispd pid: 565
Sep 05 12:59:25 centos7 audispd[565]: No plugins found, exiting
Sep 05 12:59:25 centos7 auditd[563]: Init complete, auditd 2.8.1 listening for events (startup state enable)
Sep 05 12:59:25 centos7 augenrules[567]: /sbin/augenrules: No change
Sep 05 12:59:25 centos7 augenrules[567]: No rules
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 augenrules[567]: enabled 1
Sep 05 12:59:25 centos7 augenrules[567]: failure 1
Sep 05 12:59:25 centos7 augenrules[567]: pid 563
Sep 05 12:59:25 centos7 augenrules[567]: rate_limit 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog_limit 8192
Sep 05 12:59:25 centos7 augenrules[567]: lost 0
Sep 05 12:59:25 centos7 augenrules[567]: backlog 1
Sep 05 12:59:25 centos7 systemd[1]: Started Security Auditing Service.
and that's where it ends.
If I run tail -3 /var/log/audit/audit.log
I see the output I expect:
type=CRED_REFR msg=audit(1537383661.096:4863): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1537383661.107:4864): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:setcred grantors=pam_env,pam_faillock,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1537383661.109:4865): pid=13894 uid=0 auid=0 ses=567 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
I looked at the instructions from https://major.io/2017/01/05/display-auditd-messages-with-journalctl/
Running this command from that page gave me this output and then waited (as expected).
$ journalctl -af _TRANSPORT=audit
-- Logs begin at Wed 2018-09-05 08:59:19 EDT. --
How do I configure journalctl
or auditd
to view the output I see from the audit.log
file in journalctl
?
I did not find any matches there either. Then I did this
journalctl _TRANSPORT=syslog
and found that I did have matches. This led me to some investigation and I found that if I filtered for something specific, for examplesshd
, then I found matches although they look completely different. Here's an actual example:output
Notice the IP addresses match. So try _TRANSPORT=syslog instead.