Jonathan Billings wrote:
On Thu, Jul 23, 2015 at 01:19:44PM -0400, m.roth@5-cent.us wrote:
I really am going crazy, trying to deal with the hourly logs from the loghost. We've got 170+ servers and workstations... but a *very* large percentage of what's showing up is from his bloody new fedora 22, with its idiot systemd logging of *ever* selinux message to /var/log/messages.
systemctl enable auditd systemctl start auditd
Now your SELinux (and other audit) logs are going to /var/log/audit/audit.log.
Um, no. That was where I started this thread - my manager updated his fedora box from 20 to 22, and there's a bug about it https://bugzilla.redhat.com/show_bug.cgi?id=1227379, where it appears that the systemd folks have demanded *all* logs, and are multicast spitting out the selinux logs *als0* to /var/log/messages.
And I just checked, and yes, auditd is running.
So I'm back to trying to find the correct syntax to filter all the successes seen by auditd from getting to messages....
mark