9.1.5. Why aren’t audit logs being forwarded to syslog?¶
Audit logs can be sent to syslog in addition to being persisted
locally in /var/log/audit
. However, SIMP disables forwarding
of audit logs to syslog, by default, because the logs are voluminous.
When these logs are sent to one or more remote syslog servers, the
logs can easily overwhelm the underlying network.
If forwarding of audit logs via syslog is appropriate for your site, you can enable that forwarding by setting the following in hiera:
auditd::config::audisp::syslog::drop_audit_logs: false