From: Michael Mather <michael.mather@teksavvy.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: mode = forward
Date: Mon, 30 Jul 2012 14:50:23 -0400 [thread overview]
Message-ID: <1343674223.2592.31.camel@debian.domain_name> (raw)
In-Reply-To: <2445199.J5ARC6Cxdg@x2>
Steve
I have upped the priority boost to 10 and the queue to 200
(in /etc/audisp/audispd.conf) and at first glance it runs fine.
I am also beginning to understand auditd a bit better.
Thanks for both.
Michael
-------
On Mon, 2012-07-30 at 10:24 -0400, Steve Grubb wrote:
> On Monday, July 30, 2012 10:00:53 AM Michael Mather wrote:
> > Yes, I discovered yesterday that store-and-forward ("mode=forward" in
> > audisp-remote.conf) was implemented in version 2.1, in March 2011.
> > Unfortunately, it is taking a while to be in Debian and Ubuntu.
>
> And also backported to 1.8. However, 1.8 was the final release to that series
> and I am only patching severe bugs in that series.
>
>
> > The older versions allow you to specify the queue length, but that would
> > appear to have no effect. It just seemed to be in the format of the
> > config file in anticipation of store-and-forward being available.
> >
> > It is audispd that is complaining. Funny that it says "audispd: queue is
> > full - dropping event" when it is not using a queue.
>
> There actually is a queue in audispd. Its memory resident and holds new events
> while its feeding the current one to all the plugins. When this queue
> overflows, the plugins are not working fast enough.
>
>
> > Anyway, I am left with several possibilities:
> >
> > 1. Upgrade to a recent version (which?), even though the distribution
> > does not support it.
>
> Open a support ticket then. The 1.8 version is compatible with the 1.7 series.
>
>
> > 2. Up the priority-boost in auditd.conf and/or audispd.conf.
>
> That is normal for production systems. The default settings is to handle
> setroubleshoot on a desktop system.
>
>
> > 3. Write the log locally and then have something monitor the file. What?
> >
> > 4. Can auditd use rsyslog?
>
> Yes. Use the audisp-syslog plugin. However, not using the audit daemon at all
> will cause audit events to be in syslog. You just have to load the rules
> yourself.
>
> -Steve
next prev parent reply other threads:[~2012-07-30 18:50 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-29 1:22 mode = forward Michael Mather
2012-07-30 13:17 ` Marcelo Cerri
2012-07-30 14:00 ` Michael Mather
2012-07-30 14:24 ` Steve Grubb
2012-07-30 18:50 ` Michael Mather [this message]
2012-07-30 14:14 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1343674223.2592.31.camel@debian.domain_name \
--to=michael.mather@teksavvy.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.