Idea ID: 2798351

Audit events comming from RHEL 8.x correctly parsed by the audit syslog or file reader

Status : Accepted
over 1 year ago



we discovered that the the audit events from RHEL 8.x ( CentOS 8.x) are slide different from RHEL 7.x ( CentOS 8.x) and because of that the current parse for this technology is not able to pars the events anymore.

I am adding the export of the events from my ESM test environment.


Regarding the auditd.conf file according to this  the location of the auditd.conf is not longer part of /etc/audisp location is in /etc/audit/


Audit 3.0 replaces audispd with auditd

With this update, functionality of audispd has been moved to auditd. As a result, audispd configuration options are now part of auditd.conf. In addition, the plugins.d directory has been moved under /etc/audit. The current status of auditd and its plug-ins can now be checked by running the service auditd state command.


Best Regards,