hello.
I would like to write a rule to exclude this two kind of log in /var/log/audit/audit.log :
I have try these :
Depending of the rules I tried, I got
1°) no success, because the logs continue to show the unwanted message
or
2°)
Any help is welcome
I would like to write a rule to exclude this two kind of log in /var/log/audit/audit.log :
Code:
type=SERVICE_START msg=audit(1409313085.765:9015): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="mysqld@2" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'Code:
type=SERVICE_STOP msg=audit(1409313085.765:9016): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=' comm="mysqld@2" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'Code:
-a exclude,always -F auid=4294967295Code:
-a exclude,always -F msgtype=SERVICE_START -F auid=4294967295
-a exclude,always -F msgtype=SERVICE_STOP -F auid=4294967295Code:
-a exclude,always -S all -F uid=0 -F auid=4294967295Code:
-a exit,never -S all -F uid=0 -F auid=42949672951°) no success, because the logs continue to show the unwanted message
or
2°)
Code:
Only msgtype field can be used with exclude filter
There was an error in line 14 of /etc/audit/audit.rules