Quick Tip: How to stop Auditbeat from logging to /var/log/messages
Remove the noise and send Auditbeat logs to its own directory: /var/log/auditbeat
The problem
By default, Auditbeat 7.X creates a service unit file on Linux systems with systemd. Logs are stored in journald. However, Auditbeat has its own logging directory: /var/log/auditbeat. If you prefer to remove the noise from your system log and send Auditbeat logs to its own directory, then keep reading.
Tested Environment
This fix was tested on three different machines with CentOS 7, 8, and Fedora 33 all running Auditbeat 7.9.3.
Note: This behavior also occurs in other agents of the Elastic Beats family, such as Filebeat and Metricbeat. The fix is the same for all of them as well.
The fix
- Remove the parameter
--environment systemdfrom the file/usr/lib/systemd/system/auditbeat.service:
Before:
ExecStart=/usr/share/auditbeat/bin/auditbeat --environment systemd $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
After:
ExecStart=/usr/share/auditbeat/bin/auditbeat $BEAT_LOG_OPTS $BEAT_CONFIG_OPTS $BEAT_PATH_OPTS
2. Reload the systemd configuration and restart the service:
systemctl daemon-reload
systemctl restart auditbeatThe validation
Confirm that all Auditbeat logs are now going to /var/log/auditbeat/auditbeat.
Thanks for reading! Please ket me know if this easy fix works for you as well.
