1

On Ubuntu 20, I'm trying to send audit logs to [email protected]. I do have a real domain and email server but I'm redacting them here. When I trigger an audit event, the email is instead sent to root on the local machine. So far I've tried the following:

  • Running echo "Subject: test" | sendmail -f root@my_machine.com [email protected] the test email is sent successfully.
  • /etc/audit/auditd.conf has been modified to replace action_mail_acct = root with action_mail_acct = [email protected]
  • After modifying auditd.conf, I restarted it using service auditd restart

I don't see any relevent errors in:

  • /var/log/mail.err
  • /var/log/mail.log

::: update :::

With the action_email_acct set to a real account, I then ran sudo ls in a terminal to generate an audit event that I can see in /var/log/audit/audit.log. Should I be seeing the audit event here if it's supposed to be emailed?

/etc/audit/auditd.conf screenshot

Improve this question
1
  • Do you get any interesting log information from running: journalctl -r -t auditd
    – James T
    Commented Aug 21, 2023 at 3:25

1 Answer 1

Reset to default
3
+50

The action_mail_acct is not for sending audit alerts but for giving notifications about low disk space (below space_left or admin_space_left) when space_left_action or admin_space_left_action is configured to email. From auditd.conf(5):

space_left_action

This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. rotate will rotate logs, losing the oldest to free up space. email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. exec /path-to-script will execute the script. - -

admin_space_left_action

This parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. rotate will rotate logs, losing the oldest to free up space. email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. - -

Improve this answer
1
  • sorry for the confusion, I updated my question to reflect the correct key "...acct" and also added a bounty.
    – J'e
    Commented Aug 17, 2023 at 15:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .