aureport : <no events of interest were found>
by idleman from LinuxQuestions.org on (#6QJXZ)
Hi All,
I have a question about the RHEL 6 aureport.
We have 4 RHEL 6.7 servers that already running over 10 years.
User reported last week that one of the server can't show the summary reports of audit logs.
I checked the auditd.conf of 4 servers are identical, the config has not modified since 2014, no reboot in recent days.
We found the audit logs are updated, but the aureport can't display the report.
May I know any professional can share experience / knowledge to find out the cause?
[root@mail01-2 audit]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)
[root@mail01-2 audit]#
[root@mail01-2 audit]# uptime
10:42:45 up 1046 days, 6:42, 2 users, load average: 0.00, 0.01, 0.00
[root@mail01-2 audit]#
[root@mail01-2 audit]# ll /etc/audit/auditd.conf
-rw-r-----. 1 root root 701 Aug 10 2014 /etc/audit/auditd.conf
[root@mail01-2 audit]#
[root@mail01-2 audit]# ll -thr
total 30M
-r--------. 1 root root 6.1M Sep 7 01:50 audit.log.4
-r--------. 1 root root 6.1M Sep 7 16:25 audit.log.3
-r--------. 1 root root 6.1M Sep 8 07:02 audit.log.2
-r--------. 1 root root 6.1M Sep 8 22:01 audit.log.1
-rw-------. 1 root root 5.2M Sep 9 10:43 audit.log
[root@mail01-2 audit]#
[root@mail01-2 audit]# aureport -i --login
Login Report
============================================
# date time auid host term exe success event
============================================
<no events of interest were found>
[root@mail01-2 audit]# aureport -u --failed
User ID Report
====================================
# date time auid term host exe event
====================================
<no events of interest were found>
[root@mail01-2 audit]#
[root@mail01-2 audit]# cat /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
[root@mail01-2 audit]#
Thank you.
I have a question about the RHEL 6 aureport.
We have 4 RHEL 6.7 servers that already running over 10 years.
User reported last week that one of the server can't show the summary reports of audit logs.
I checked the auditd.conf of 4 servers are identical, the config has not modified since 2014, no reboot in recent days.
We found the audit logs are updated, but the aureport can't display the report.
May I know any professional can share experience / knowledge to find out the cause?
[root@mail01-2 audit]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)
[root@mail01-2 audit]#
[root@mail01-2 audit]# uptime
10:42:45 up 1046 days, 6:42, 2 users, load average: 0.00, 0.01, 0.00
[root@mail01-2 audit]#
[root@mail01-2 audit]# ll /etc/audit/auditd.conf
-rw-r-----. 1 root root 701 Aug 10 2014 /etc/audit/auditd.conf
[root@mail01-2 audit]#
[root@mail01-2 audit]# ll -thr
total 30M
-r--------. 1 root root 6.1M Sep 7 01:50 audit.log.4
-r--------. 1 root root 6.1M Sep 7 16:25 audit.log.3
-r--------. 1 root root 6.1M Sep 8 07:02 audit.log.2
-r--------. 1 root root 6.1M Sep 8 22:01 audit.log.1
-rw-------. 1 root root 5.2M Sep 9 10:43 audit.log
[root@mail01-2 audit]#
[root@mail01-2 audit]# aureport -i --login
Login Report
============================================
# date time auid host term exe success event
============================================
<no events of interest were found>
[root@mail01-2 audit]# aureport -u --failed
User ID Report
====================================
# date time auid term host exe event
====================================
<no events of interest were found>
[root@mail01-2 audit]#
[root@mail01-2 audit]# cat /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
[root@mail01-2 audit]#
Thank you.