Jonathan Billings wrote: > On Thu, Jul 23, 2015 at 01:19:44PM -0400, m.roth at 5-cent.us wrote: >> I really am going crazy, trying to deal with the hourly logs from the >> loghost. We've got 170+ servers and workstations... but a *very* large >> percentage of what's showing up is from his bloody new fedora 22, with >> its >> idiot systemd logging of *ever* selinux message to /var/log/messages. > > systemctl enable auditd > systemctl start auditd > > Now your SELinux (and other audit) logs are going to > /var/log/audit/audit.log. Um, no. That was where I started this thread - my manager updated his fedora box from 20 to 22, and there's a bug about it <https://bugzilla.redhat.com/show_bug.cgi?id=1227379>, where it appears that the systemd folks have demanded *all* logs, and are multicast spitting out the selinux logs *als0* to /var/log/messages. And I just checked, and yes, auditd is running. So I'm back to trying to find the correct syntax to filter all the successes seen by auditd from getting to messages.... mark