auditd.service not running

[b3ta]

I was looking for something else, but saw this in the journal: kernel: kauditd_printk_skb: 16 callbacks suppressed. From what I understand, that either means that the kernel audit log is receiving messages too quickly, or that its daemon is not running, so I checked by running systemctl status auditd, which returned Unit auditd.service could not be found . Is it normal for Proxmox not to enable auditd?

In searching the forum I came across quite a few posts where journal entries include similar lines, but didn't see anyone query this specifically.

 

[sterzy]

Proxmox VE does not install auditd by default. If you want to use it, you should install it via apt install auditd. The message you see come from some other part of the kernel using a related mechanism to limit the amount of log messages. By default, the Linux kernel is configured so that the userspace auditd fully enables the audit sub-system. However, since that isn't installed, the kernel submodule is also never fully enabled. At least by default, you can install auditd or change the kernel command line to always enable the audit submodule.

 

[b3ta]

Thank you for the explanation, Shannon. It did seem a bit strange.