I'm on a Debian 11 server and my audit logs are going into /var/log/audit/audit.log as well as in /var/log/auth.log. They are filling up my auth.log and they really should not be going there. Below are the relevant portion of my configs:
/etc/rsyslog.conf
kern.debug /var/log/kern.log
daemon.* /var/log/daemon.log
*.info;cron,auth,authpriv.none /var/log/syslog
cron.* /var/log/cron.log
user.* /var/log/user.log
auth,authpriv.* /var/log/auth.log
/etc/audit/auditd.conf
log_file = /var/log/audit.log
I'm at a bit of a loss here as to what to do. How do I get my audit logs to send to /var/log/audit/audit.log only?
Asked by kathyl
(46 rep)
Mar 14, 2023, 08:53 AM
Last activity: Jul 31, 2025, 06:05 AM
Last activity: Jul 31, 2025, 06:05 AM