Idea ID 2798351
we discovered that the the audit events from RHEL 8.x ( CentOS 8.x) are slide different from RHEL 7.x ( CentOS 8.x) and because of that the current parse for this technology is not able to pars the events anymore.
I am adding the export of the events from my ESM test environment.
Regarding the auditd.conf file according to this https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#audit_security the location of the auditd.conf is not longer part of /etc/audisp location is in /etc/audit/
Audit 3.0 replaces audispd with auditd
With this update, functionality of audispd has been moved to auditd. As a result, audispd configuration options are now part of auditd.conf. In addition, the plugins.d directory has been moved under /etc/audit. The current status of auditd and its plug-ins can now be checked by running the service auditd state command.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.