I did my homework and got everything logged into a file and not into syslog/journal.
From what it seems, by default systemd setups it's own listener for kernel's audit events and logs them into syslog/journal.
The other alternative is using auditd
to read these events and log them into a configurable log file.
Disable systemd's audit events logging:
systemctl stop systemd-journald-audit.socket
systemctl disable systemd-journald-audit.socket
# masking will prevent starting by other services
# 'systemctl unmask' to reverse
systemctl mask systemd-journald-audit.socket
The audit events might still get logged into journal until you reboot.
Setup auditd
Install or make sure auditd
package is installed, might be named differently depending on your distro, as of writing this article it's audit
for Arch-based Manjaro.
Configuration file
Location of the auditd.conf
seems to differ (online manpage has a different location), see your man auditd.conf
.
Following configuration should do the trick, make sure /var/log/audit/
exists.
# /etc/audit/auditd.conf
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 5 # after how many messages to explicitly flush
max_log_file = 8 # size in MB per one log file
num_logs = 5 # keep n amount of rotated logs
# ... truncated
This file already existed on my system with some sane defaults but these seem to be the most important options for logging. You should consult your manpage if it doesn't exist, one of the other probably important options is dispatcher=
, for if you are using audit rules (audispd
, /etc/audit/rules.d/
).
Systemd unit for auditd
With the auditd package comes its own systemd unit file located in
/usr/lib/systemd/system/auditd.service
. There are a few comments in the
service file, make sure to read it to check if these apply.
Copy that file to /etc/systemd/system/auditd.service
, then issue
systemctl daemon-reload
systemctl start auditd.service
systemctl enable auditd.service # will be auto started with system
This all applies to my system, which is Manjaro 5.9.10-1 kernel
with systemd 246
and audit version 2.8.5
.
The systemd unit for logging audit events into syslog/journal might be named differently, as well as the existence of systemd unit for auditd and it's configuration path might be different in other distros.