All notes
Audi

audispd

It is started by the auditd. It takes audit events and distributes them to child programs like syslog (see plugins for detail).

plugins

man7.org: audispd.


active = no # This plugin is turned off.
direction = out # This plugin is used to process the output audit events.
path = builtin_af_unix
type = builtin # Builtin should always be given for plugins that are internal to the audit event dispatcher. These are af_unix and syslog.
args = 0640 /var/run/audispd_events
format = string

Log to syslog

Stop sending logs to /var/log/messages

wcfNote: /etc/audisp/plugins.d/syslog.conf is where we make audispd log to syslog.

access.redhat.com.

First, you need to be on version 1.8-2.el5 of audit or the config settings won't take effect.

The first conf you need to edit is /etc/audisp/plugins.d/syslog.conf
on the "args" line add "LOG_LOCAL6" and save the file.

Then edit /etc/syslog.conf
In this area, add ;local6.none to the /var/log/messages line like below:
*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages

Restart syslog and auditd, and audit will stop sending logs to the messages log.
Chose local6 instead of local0 as I didn't want the audit messages getting thrown to the kernel level.