{"id":701,"date":"2018-08-08T01:56:39","date_gmt":"2018-08-08T01:56:39","guid":{"rendered":"http:\/\/hyderabadwebhosting.in\/blog\/?p=701"},"modified":"2018-08-06T01:57:38","modified_gmt":"2018-08-06T01:57:38","slug":"how-to-change-the-path-of-the-auditd-log-file-var-log-audit-audit-log","status":"publish","type":"post","link":"https:\/\/hyderabadwebhosting.in\/blog\/how-to-change-the-path-of-the-auditd-log-file-var-log-audit-audit-log\/","title":{"rendered":"How to change the path of the auditd log file \/var\/log\/audit\/audit.log"},"content":{"rendered":"

How to change the path of the auditd log file \/var\/log\/audit\/audit.log<\/span><\/strong><\/p>\n

An important task related to troubleshooting can arise from an understanding of activities commonly associated with the action of reading and writing files. Linux provides a simple utility for this. Known as auditd, this service (or daemon) starts during the boot process. Events are recorded to an associated log file found at \/var\/log\/audit and as it runs in the background, you can check the current service status with below command in case of CentOS\/RHEL 7 server:<\/span><\/p>\n

# systemctl status auditd<\/pre>\n
 <\/p>\n
It is possible to customize the auditing service and you can have direct access to manage the log file size, location, and associated attributes by accessing the following file with your favorite text editor:<\/span><\/p>\n
# vi \/etc\/audit\/auditd.conf<\/pre>\n
 <\/p>\n
Changing the default log file location for auditd<\/span><\/strong><\/p>\n
1. In the auditd configuration file \/etc\/audit\/auditd.conf, change the option log_file = \/var\/log\/audit\/audit.log so that it points to the new path, e. g.:<\/span><\/p>\n
# vi \/etc\/audit\/auditd.conf\r\n\r\nlog_file = \/auditd_logs\/audit.log<\/pre>\n
 <\/p>\n
2. If you have the SELinux enabled, configure default SELinux file context labels for the new path and restore the security contexts accordingly:<\/span><\/p>\n
# semanage fcontext -a -e \/var\/log\/audit '\/auditd_logs(\/.*)?'\r\n\r\nrestorecon -Rv \/auditd_logs<\/pre>\n
 <\/p>\n
3. Restart the auditd service for the changes to take effect.<\/span><\/p>\n
# systemctl restart auditd<\/pre>\n
 <\/p>\n
Verify<\/span><\/strong><\/p>\n
You can check the new log file \/auditd_logs\/audit.log getting the new auditd logs written to. Also from now on, when using the ausearch command, add the -if or \u2013input-logs switches:<\/span><\/p>\n
# ausearch -if \/auditd_logs\/audit.log -m avc -i -ts recent<\/pre>\n
 <\/p>\n
 \t
 \t\t \t\t\"www.pdf24.org\"<\/a> \t\t  <\/span> \t\tSend article as PDF<\/span> \t\t  <\/span> \t\t \t\t \t<\/form> <\/div>","protected":false},"excerpt":{"rendered":"
How to change the path of the auditd log file \/var\/log\/audit\/audit.log An important task related to troubleshooting can arise from an understanding of activities commonly associated with the action of reading and writing files. Linux provides a simple utility for this. Known as auditd, this service (or daemon) starts during the boot process. Events are\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","footnotes":""},"categories":[6],"tags":[],"class_list":["post-701","post","type-post","status-publish","format-standard","hentry","category-vps"],"_links":{"self":[{"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/comments?post=701"}],"version-history":[{"count":1,"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/701\/revisions"}],"predecessor-version":[{"id":702,"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/posts\/701\/revisions\/702"}],"wp:attachment":[{"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/media?parent=701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/categories?post=701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hyderabadwebhosting.in\/blog\/wp-json\/wp\/v2\/tags?post=701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}