How to enable systemd's journal audit transport?

linux systemd logging auditd opensuse

Solution 1:

I would check these things:

  • The systemd-journald-audit.socket is configured to listen to a socket using the AF_NETLINK protocol. If systemctl status systemd-journald-audit.socket is not active, then systemd-journald.service is not using it.

  • Ensure systemd-journald-audit.socket is included inSockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket in the systemd-journald.service definition.

    If missing from your default systemd-journald.service, create an override at /etc/systemd/system/systemd-journald.service.d/override.conf:

    # systemctl edit systemd-journald.service
[Service]
Sockets=
Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
# systemctl restart systemd-journald.service

  • audit=0 has not been set as a kernel parameter. Check with cat /proc/cmdline.

Verify that audit is now in your set of field type _TRANSPORT

# journalctl --field _TRANSPORT
stdout
kernel
syslog
journal
audit
driver

Related

Different path for two users added in Docker group
How to check if external hard drive is spinning or in sleep mode through the command line?
How do I port forward on a Genexis Platinum 4410?
Scheduled task Windows shutdown - Will this run if Windows Update is busy?
how to get max number of redirects on Chrome? (before ERR_TOO_MANY_REDIRECTS )
How can I snapshot a VM before booting it for the first time?
Expressing $\sin(2x)$ as a polynomial of $\sin{x}$
The least prime greater than 2000
What does a probability of $1$ mean?
Why don't we include $\pm\infty$ in $\mathbb R$?
Proving that $\mathbb{F}^\infty$ is infinite-dimensional.
Why are compact sets called "compact" in topology?