Join Log in
Score:1
J'e avatar Server

Audit log emails not going to the correct address

eg flag
J'e

On Ubuntu 20, I'm trying to send audit logs to [email protected]. I do have a real domain and email server but I'm redacting them here. When I trigger an audit event, the email is instead sent to root on the local machine. So far I've tried the following:

  • Running echo "Subject: test" | sendmail -f root@my_machine.com [email protected] the test email is sent successfully.
  • /etc/audit/auditd.conf has been modified to replace action_mail_acct = root with action_mail_acct = [email protected]
  • After modifying auditd.conf, I restarted it using service auditd restart

I don't see any relevent errors in:

  • /var/log/mail.err
  • /var/log/mail.log

::: update :::

With the action_email_acct set to a real account, I then ran sudo ls in a terminal to generate an audit event that I can see in /var/log/audit/audit.log. Should I be seeing the audit event here if it's supposed to be emailed?

/etc/audit/auditd.conf screenshot

116
1 + 1
James T avatar
hr flag
James T
Do you get any interesting log information from running: `journalctl -r -t auditd `
0
Reply
Score:3
avatar Server
jp flag
Esa Jokinen

The action_mail_acct is not for sending audit alerts but for giving notifications about low disk space (below space_left or admin_space_left) when space_left_action or admin_space_left_action is configured to email. From auditd.conf(5):

space_left_action

This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. rotate will rotate logs, losing the oldest to free up space. email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. exec /path-to-script will execute the script. - -

admin_space_left_action

This parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, rotate, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. rotate will rotate logs, losing the oldest to free up space. email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. - -

+ 1
J'e avatar
eg flag
J'e
sorry for the confusion, I updated my question to reflect the correct key "...acct" and also added a bounty.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.