Option Description Possible values
log_file name of the log file
log_format How to flush the data from
auditd to the log.
RAW. Only RAW is supported in this version.
priority_boost The nice value for auditd.
Used to run auditd at a
certain priority.
flush Method of writing data to disk. none, interval, data, sync
freq Used when flush is
incremental, states how many
records written before a forced
flush to disk.
num_logs Number of log files to use
max_log_file Maximum log size in
megabytes.
max_log_file_action Action to take when the
maximum log space is reached.
ignore, syslog, suspend, rotate
space_left Low water mark
space_left_action What action to take when low
water mark is reached
ignore, syslog, suspend, single,
halt
admin_space_left High water mark
admin_space_left_actio
n
What action to take when high
water mark is reached
ignore, syslog, suspend, single,
halt
disk_full_action What action to take when disk
is full
ignore, syslog, suspend, single,
halt
disk_error_action What action to take when an
error is encountered while
writing to disk.
Table 5-2: /etc/auditd.conf options
In addition to setting the audit filter rules, auditctl can be used to control the audit subsystem behavior in
the kernel even when auditd is running. These settings are listed in Table 5-3.
138