I am trying to log changes to a file system using auditd, but I am seeing also many other things being logged, for example all failed SSH logging attempts (USER_AUTH and USER_LOGIN events). How can I prevent them from being logged? When I do auditctl -l I see only the path watching rules and no other rules.
How to prevent logging USER_AUTH and USER_LOGIN events with auditd
auditd
Related Topic
- Ubuntu – How to log execution of a specific binary/script using auditd or other
- Linux – How to enable syscall auditing in CoreOs
- Debian – What does auditd log by default (i.e. when no rules are defined?)
- Security – Using auditd and retaining log files for 6 months.
- Ubuntu – Reducing the verbosity of auditd, the minimal rules catch stuff they should not (apparmor)
Best Answer
For things you don't want in the audit logs, you can add them to an exclude filter. So if you want to exclude logins, you can do
will stop logging of all logins, successful or not. For more information about how to create these rules, see the man page for auditctl.
However, you might simply use
aureportto search for the logs you do want, instead of blocking the ones you don't.