It is started by the auditd. It takes audit events and distributes them to child programs like syslog (see plugins for detail).
active = no # This plugin is turned off. direction = out # This plugin is used to process the output audit events. path = builtin_af_unix type = builtin # Builtin should always be given for plugins that are internal to the audit event dispatcher. These are af_unix and syslog. args = 0640 /var/run/audispd_events format = string
Log to syslog
Stop sending logs to /var/log/messages
wcfNote: /etc/audisp/plugins.d/syslog.conf is where we make audispd log to syslog.
First, you need to be on version 1.8-2.el5 of audit or the config settings won't take effect. The first conf you need to edit is /etc/audisp/plugins.d/syslog.conf on the "args" line add "LOG_LOCAL6" and save the file. Then edit /etc/syslog.conf In this area, add ;local6.none to the /var/log/messages line like below: *.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages Restart syslog and auditd, and audit will stop sending logs to the messages log.
Chose local6 instead of local0 as I didn't want the audit messages getting thrown to the kernel level.