4

Hi We are using four linux servers for on application. Application just simply generates reports using scripts... Now for three servers audit logs are being generated in /var/log/audit directory (as below) but for one server no logs are being generated.

[root@mhedr5 logs]# ls -ltr /var/log/audit |tail
total 24748
-r--------. 1 root root 6291614 Jun  4 11:45 audit.log.4
-r--------. 1 root root 6291485 Jun  4 20:26 audit.log.3
-r--------. 1 root root 6291563 Jun  5 05:40 audit.log.2
-r--------. 1 root root 6291676 Jun  5 14:52 audit.log.1
-rw-------. 1 root root  138601 Jun  5 15:07 audit.log

I am totally unaware of this concept. Is there any script running on the server which creates these logs? Is it related to any separate script or is it a system property? How could I trouble shoot this problem? could any one please tell me or share any useful link? please let me know if you need further information.

System info:
# lsb_release -a  (server where logs are generating)
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID: RedHatEnterpriseServer
Description:    Red Hat Enterprise Linux Server release 6.4 (Santiago)
Release:        6.4
Codename:       Santiago

Surprisingly lsb_release -a is not known command to the server where audit logs are not generating... It is too a redhat server though. 

cat /etc/*-release    (server where audit logs are not generating)
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Red Hat Enterprise Linux Server release 6.4 (Santiago)

For server 1:

# chkconfig --list auditd
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
# service auditd status
auditd (pid  4886) is running...

for server 2: 

# chkconfig --list auditd
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
# service auditd status
auditd (pid  11165) is running...

on server 2:

ls -lart /var/log/audit
total 16
drwxr-x---.  2 root root 12288 Feb 19 15:00 .
drwxr-xr-x. 12 root root  4096 Jun  1 03:28 ..
KnowledgeSeeeker
  • 143
  • 1
  • 4
  • Which distro are you running (and version)? – MadHatter Jun 05 '15 at 10:38
  • Hi..I have provided the details in original question. – KnowledgeSeeeker Jun 05 '15 at 10:42
  • Thanks. Could you add the output of `chkconfig --list auditd` and `service auditd status`, both from the non-working and one of the working servers, to your question? – MadHatter Jun 05 '15 at 10:45
  • Hi Thanks for reply... I have pasted command results.. server 1(where logs are generating) server2 (logs ain't generating) – KnowledgeSeeeker Jun 05 '15 at 10:55
  • Thanks again; scratch that hypothesis. And just for completeness, can we see the output of `ls -lart /var/log/audit` on server 2? – MadHatter Jun 05 '15 at 10:57
  • Its completely empty..(pasted the resulted in original question) – KnowledgeSeeeker Jun 05 '15 at 11:01
  • Hi.. Moving forward with your help, I have restarted the log creation by using "service auditd condrestart" & i can see the log generating in /var/log/audit/..I will monitor it & will come back to you in cse of any issue.. btw thanks a lot for your help & time.. :) – KnowledgeSeeeker Jun 05 '15 at 11:23
  • I've written what we did up as an answer, so that barring any further changes you can accept it, and the question can be put to bed. – MadHatter Jun 05 '15 at 11:42

1 Answers1

1

auditd is the userspace daemon that hooks into the kernel's audit subsystem and transfers those logs to the file system. Although all signs were that yours was running, you have found that restarting it caused the logs to start appearing on disc.

What was wrong? Who can now say. But you may want to take away from this the lesson that all daemons that don't appear to be working well can benefit from a kick in the pants!

MadHatter
  • 79,770
  • 20
  • 184
  • 232