Audit logs are not being generated on linux machine

auditrhel6

Hi We are using four linux servers for on application. Application just simply generates reports using scripts… Now for three servers audit logs are being generated in /var/log/audit directory (as below) but for one server no logs are being generated.

[root@mhedr5 logs]# ls -ltr /var/log/audit |tail
total 24748
-r--------. 1 root root 6291614 Jun  4 11:45 audit.log.4
-r--------. 1 root root 6291485 Jun  4 20:26 audit.log.3
-r--------. 1 root root 6291563 Jun  5 05:40 audit.log.2
-r--------. 1 root root 6291676 Jun  5 14:52 audit.log.1
-rw-------. 1 root root  138601 Jun  5 15:07 audit.log

I am totally unaware of this concept. Is there any script running on the server which creates these logs? Is it related to any separate script or is it a system property? How could I trouble shoot this problem? could any one please tell me or share any useful link? please let me know if you need further information.

System info:
# lsb_release -a  (server where logs are generating)
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: RedHatEnterpriseServer
Description:    Red Hat Enterprise Linux Server release 6.4 (Santiago)
Release:        6.4
Codename:       Santiago

Surprisingly lsb_release -a is not known command to the server where audit logs are not generating… It is too a redhat server though. 

cat /etc/*-release    (server where audit logs are not generating)
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Red Hat Enterprise Linux Server release 6.4 (Santiago)

For server 1:

# chkconfig --list auditd
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
# service auditd status
auditd (pid  4886) is running...

for server 2: 

# chkconfig --list auditd
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
# service auditd status
auditd (pid  11165) is running...

on server 2:

ls -lart /var/log/audit
total 16
drwxr-x---.  2 root root 12288 Feb 19 15:00 .
drwxr-xr-x. 12 root root  4096 Jun  1 03:28 ..

Best Answer

auditd is the userspace daemon that hooks into the kernel's audit subsystem and transfers those logs to the file system. Although all signs were that yours was running, you have found that restarting it caused the logs to start appearing on disc.

What was wrong? Who can now say. But you may want to take away from this the lesson that all daemons that don't appear to be working well can benefit from a kick in the pants!

Related Topic