Per [1], I was seeing tons of audit messages listed in logwatch reports.
(My patch fixes that, btw.) My actual question is why I wasn't seeing
those messages in my old (old) F20 logwatch reports, but did see:
--------------------- Kernel Audit Begin ------------------------
**Unmatched Entries**
enabled 0
flag 1
pid 0
rate_limit 0
backlog_limit 320
lost 0
backlog 0
backlog_wait_time 60000
instead. Is this your experience, that some upgrade started giving
tons of audit messages?
I think that previously, when logwatch looked at the logfiles, it was
misconfigured to not use /var/log/audit/audit.log, but instead:
LogFile = modsecurity2/modsec_audit.log
and what I saw came from /var/log/messages (not sure why). Now
logwatch looks at the journal (that's the format of the lines I see)
and is actually able to report audit issues.
[1]:
https://bugzilla.redhat.com/show_bug.cgi?id=1231364
--
____________________________________________________________________
TonyN.:' <mailto:tonynelson@georgeanelson.com>
' <
http://www.georgeanelson.com/>