Idea ID: 2798351

Audit events comming from RHEL 8.x correctly parsed by the audit syslog or file reader

Status : Accepted
over 1 year ago

Hello, 

 

we discovered that the the audit events from RHEL 8.x ( CentOS 8.x) are slide different from RHEL 7.x ( CentOS 8.x) and because of that the current parse for this technology is not able to pars the events anymore.

I am adding the export of the events from my ESM test environment.

 

Regarding the auditd.conf file according to this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#audit_security  the location of the auditd.conf is not longer part of /etc/audisp location is in /etc/audit/

 

Audit 3.0 replaces audispd with auditd

With this update, functionality of audispd has been moved to auditd. As a result, audispd configuration options are now part of auditd.conf. In addition, the plugins.d directory has been moved under /etc/audit. The current status of auditd and its plug-ins can now be checked by running the service auditd state command.

the 

Best Regards, 

 

Daniel

Tags: