Re: Log rotation and client disconnects

All of lore.kernel.org
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: rshaw1@umbc.edu
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: Log rotation and client disconnects
Date: Fri, 13 Aug 2010 10:38:52 -0500	[thread overview]
Message-ID: <1281713932.3735.22.camel@lcb> (raw)
In-Reply-To: <37254.128.63.24.134.1281711994.squirrel@webmail.umbc.edu>

On Fri, 2010-08-13 at 11:06 -0400, rshaw1@umbc.edu wrote:

> 
> (Technology preview or no, I'm very happy to have audisp; certain other
> systems aren't so lucky.)

I agree.

> 
> Well, I can't run aureport --summary; it pegs the CPU for hours and hours.
>  That's not really a big deal for me, though.  I have a script that runs
> shortly after the logs are rotated, generating a report based on the
> previous day's data.  It's using 3 aureports and one ausearch (piped
> through a bunch of stuff).  Usually takes less than 15 minutes to run.  At
> the moment, this is the main way we're using the data, though I'm hoping
> to do more in the future.  I've glanced at the audit+Prelude HOWTO, since
> Prelude can do a few other things that appeal to me.

I use this. Works pretty well.

> 
> (The ausearch used to be an aureport, but aureport --anomaly -i doesn't
> seem to get the node/host names from the logs, which is why I ended up
> writing my own thing.  Interestingly, --anomaly isn't even in the man page
> for aureport; I've no idea where I found it.  I don't know if any of this
> is different in more recent versions.)

That's a doc bug I guess. I have never heard of it.

> 
> Hrm.  This is what I have:
> 
> network_retry_time = 30
> max_tries_per_record = 60
> max_time_per_record = 5
> network_failure_action = syslog (looks like I'll be changing that)
> ...
> remote_ending_action = reconnect
> 
> Are you using the heartbeat_timeout stuff?  I haven't been.
Me:
network_retry_time = 1
max_tries_per_record = 10
max_time_per_record = 10
heartbeat_timeout = 30
...
remote_ending_action = reconnect

> 
> > Also - I have a big ugly system involving timestamps and reconnect
> > logic.
> 
> Yeah, I think I might come up with something like that, and use the "exec"
> option for network_failure_action combined with cron stuff to keep
> retrying.

That is what I do. It gets a little tricky, but it works.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next prev parent reply	other threads:[~2010-08-13 15:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-09 16:59 Log rotation and client disconnects rshaw1
2010-08-09 17:53 ` Steve Grubb
2010-08-12 14:02   ` rshaw1
2010-08-12 14:25     ` Steve Grubb
2010-08-12 15:16       ` rshaw1
2010-08-12 15:57         ` LC Bruzenak
2010-08-13 15:06           ` rshaw1
2010-08-13 15:38             ` LC Bruzenak [this message]
2010-08-12 14:31     ` LC Bruzenak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1281713932.3735.22.camel@lcb \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    --cc=rshaw1@umbc.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.