📖 ~1 min read
Table of contents
Symptom & Impact
augenrules –load fails with ‘rule exists’ or invalid syscall messages.
Environment & Reproduction
Old rule files from a previous kernel version reference renamed syscalls.
uname -r
auditctl -sRoot Cause Analysis
auditd refuses unknown or duplicate rules and stops loading the rest.
Quick Triage
Validate rule files individually.
for f in /etc/audit/rules.d/*.rules; do echo $f; auditctl -R $f; doneStep-by-Step Diagnosis
Identify offending lines and disabled syscalls.
augenrules --check
auditctl -l
Solution – Primary Fix
Remove deprecated lines and reload.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
sed -i '/-S removed_syscall/d' /etc/audit/rules.d/*.rules
augenrules --load
Solution – Alternative Approaches
Move legacy rules to an archive directory.
mkdir -p /etc/audit/rules.d.archive && mv /etc/audit/rules.d/legacy-*.rules /etc/audit/rules.d.archive/Verification & Acceptance Criteria
auditctl -s reports ‘enabled 1’ and rules are loaded.
auditctl -l | wc -lRollback Plan
Restore the archived rules.
mv /etc/audit/rules.d.archive/* /etc/audit/rules.d/ && augenrules --loadPrevention & Hardening
Run augenrules –check on every kernel bump.
augenrules --checkRelated Errors & Cross-Refs
Invalid syscall, rule exists, audit rule load failure.
Related tutorial: View the step-by-step tutorial for centos-stream-10.
View all centos-stream-10 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
auditd docs, audit.rules man page.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
