The auditd system on an Oracle 8.10 linux system is configured to start the audisp-syslog plugin to send audit events to syslog (rsyslog in this case) for onward processing. The following is the syslog.conf file in /etc/audit/plugins.d/ active = yes direction = out path = /sbin/audisp-syslog type = always args = LOG_LOCAL6 LOG_INFO format = string The process is started but no audit events are logged to syslog. If I kill the audisp-syslog process that is started by the auditd subsystem on startup and restart it as follows: kill -9 /sbin/audisp-syslog LOG_LOCAL6 LOG_INFO It now works fine. I found this bug on bugzilla for redhat https://bugzilla.redhat.com/show_bug.cgi?id=1794666 but it is closed. I tried the fix mentioned by the original poster, to create the syslog.conf file but that did not work. Has anyone else come across this?

How do you use auditd for logging when files and folders are opened, read, moved, deleted or modified? Looking at the information here , i don't see how to accomplish the task. I'm trying to get a log of folder and file access/modification on a FreeBSD system. File access is via Samba share and i'm logging via SMB but in some rare instances SMB doesn't log a event (like today when a folder was moved, it wasn't logged but I moved a folder later and it was logged). Because of that, i'm looking for a more accurate alternative. **UPDATE** Here is what is not working with auditd on a FreeNAS 11 FreeBSD system. Check the options kernel was compiled with (looking for AUDIT):

sysctl kern.conftxt | grep AUDIT
> options	AUDIT

My /etc/security/audit_control

#
# $FreeBSD$
#
dir:/var/audit
dist:off
flags:lo,aa,fr,fw,cl,fa,fc,fd
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M

My /etc/security/audit_user:

#
# $FreeBSD$
#
testuser:lo,aa,fr,fw,cl,fa,fc,fd:no
root:lo:no

service auditd restart && service auditd status results:

Trigger sent.
Starting auditd.
auditd is running as pid 45763.

Based on the man audit_user pages > The flags field sets the system-wide default preselection mask for > attributable events. In the example above, successful and failed > login/logout events as well as authentication and authorization are > audited for all users. I should at least be getting login/logout logs for testuser and root. And because of: > Per-user and global audit preselection configuration are evaluated at > time of login, so users must log out and back in again for audit changes > relating to preselection to take effect. I then logged out and back in as testuser via ssh, created some directories and files, and deleted them. I did the same thing via a SMB share and then logged in as root to check trail. praudit /var/audit/current results:

header,56,11,audit startup,0,Fri May 24 09:50:23 2019, + 398 msec
text,auditd::Audit startup
return,success,0
trailer,56

Checking all available trails with praudit /var/audit/*:

header,56,11,audit startup,0,Wed May 22 14:41:33 2019, + 781 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:44:10 2019, + 766 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:54:51 2019, + 31 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:55:04 2019, + 451 msec
text,auditd::Audit startup
return,success,0
trailer,56
header,56,11,audit startup,0,Thu May 23 18:55:04 2019, + 451 msec
text,auditd::Audit startup
return,success,0
trailer,56

I don't see any logs.

As you might know there is an auditdistd(8) daemon available on FreeBSD. It has some documented command line arguments like -c, -d, etc. (see more here (link) ). I was trying to learn how it works when I stumbled upon a code handling an undocumented command line argument, proto: - Apparently, proto_exec is called when you execute /usr/sbin/auditdistd proto foo bar baz and foo bar baz are passed to the function as its arguments. > /* > * We are executed from proto to create sandbox. > */ > if (argc > 1 && strcmp(argv, "proto") == 0) { > argc -= 2; > argv += 2; > if (proto_exec(argc, argv) == -1) > err(EX_USAGE, "Unable to execute proto"); > } > _(See /contrib/openbsm/bin/auditdistd/auditdistd.c:main() (link) for more details.)_ - Here's the proto_exec function: > int > proto_exec(int argc, char *argv[]) > { > struct proto *proto; > int error; > > if (argc == 0) { > errno = EINVAL; > return (-1); > } > TAILQ_FOREACH(proto, &protos, prt_next) { > if (strcmp(proto->prt_name, argv) == 0) > break; > } > if (proto == NULL) { > errno = EINVAL; > return (-1); > } > if (proto->prt_exec == NULL) { > errno = EOPNOTSUPP; > return (-1); > } > error = proto->prt_exec(argc, argv); > if (error != 0) { > errno = error; > return (-1); > } > /* NOTREACHED */ > return (0); > } > _(See /contrib/openbsm/bin/auditdistd/proto.c:proto_exec() (link) for more details.)_ Honestly, I cannot figure out what is happening here. - The protos variable is initialized like this: > static TAILQ_HEAD(, proto) protos = TAILQ_HEAD_INITIALIZER(protos); > _(See /contrib/openbsm/bin/auditdistd/proto.c (link) for more details.)_ - When /usr/sbin/auditdistd proto foo is called it just says: > auditdistd: Unable to execute proto: Invalid argument Does anyone know what is this option and how to use it?