Home
  •  

Process Audit Service Health

Microsoft.Linux.RHEL.5.Process.Audit.Monitor (UnitMonitor)

Red Hat Enterprise Linux Server 5 Process Audit Monitor

Knowledge Base article:

Summary

The audit daemon is not running. Check the Diagnostic and Recovery results to see if further action is required.

The audit daemon facilitates the writing of audit records to disk.

Causes

A failure indicates that the audit daemon is not running.

Resolutions

Check the service by running ps -ef | grep auditd or by viewing the diagnostic in the Operations Manager Console. Start it by running the command "service auditd start" or by clicking the recovery link in the Operations Manager Console.

For root cause analysis, first check the system log file (/var/log/messages), and view any related entries at the time of failure.

Element properties:

TargetMicrosoft.Linux.RHEL.5.OperatingSystem
Parent MonitorSystem.Health.AvailabilityState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Unix.WSMan.Process.Status.MonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Audit daemon is not running
The Kernel Auditing daemon on server {0} is not running.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.Linux.RHEL.5.Process.Audit.Monitor" Accessibility="Public" Target="Microsoft.Linux.RHEL.5.OperatingSystem" TypeID="Unix!Microsoft.Unix.WSMan.Process.Status.MonitorType" Enabled="true" ParentMonitorID="SystemHealth!System.Health.AvailabilityState">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.Linux.RHEL.5.Process.Audit.AlertMessage">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/PrincipalName$</AlertParameter1>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState HealthState="Success" MonitorTypeStateID="Running" ID="Running"/>

    <OperationalState HealthState="Error" MonitorTypeStateID="NotRunning" ID="NotRunning"/>

  </OperationalStates>

  <Configuration>

    <TargetSystem>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</TargetSystem>

    <ProcessName>auditd</ProcessName>

    <Interval>300</Interval>

  </Configuration>

</UnitMonitor>