Audit events comming from RHEL 8.x correctly parsed by the audit syslog or file reader

Idea ID 2798351

Audit events comming from RHEL 8.x correctly parsed by the audit syslog or file reader

Hello, 

 

we discovered that the the audit events from RHEL 8.x ( CentOS 8.x) are slide different from RHEL 7.x ( CentOS 8.x) and because of that the current parse for this technology is not able to pars the events anymore.

I am adding the export of the events from my ESM test environment.

 

Regarding the auditd.conf file according to this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#audit_security  the location of the auditd.conf is not longer part of /etc/audisp location is in /etc/audit/

 

Audit 3.0 replaces audispd with auditd

With this update, functionality of audispd has been moved to auditd. As a result, audispd configuration options are now part of auditd.conf. In addition, the plugins.d directory has been moved under /etc/audit. The current status of auditd and its plug-ins can now be checked by running the service auditd state command.

the 

Best Regards, 

 

Daniel

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.