From: Klaus Heinrich Kiwi <klausk@br.ibm.com>
To: "sgrubb@redhat.com" <sgrubb@redhat.com>,
"Linux-audit@redhat.com" <Linux-audit@redhat.com>
Subject: event loss with dispatcher?
Date: Thu, 08 Nov 2007 11:54:16 -0500 [thread overview]
Message-ID: <1194540856.19673.26.camel@klausk.br.ibm.com> (raw)
Hi,
I'm trying to debug a potential problem with the dispatcher mechanism
in version 1.6.2. Long story short, I saw that some records were being
missed in the remote system (using the audisp-racf plugin), couldn't
find anything wrong with the code, so I enabled the syslog plugin,
trying to match the the syslog with the audit log output - At least in
my system, they are not matching.
In cases where there are more than one record per event, (eg. SYSCALL,
CWD, PATH), the majority of times only the syscall record is sent to the
syslog.. in rare cases I could see the path or the cwd record as well.
The impression that this would be a timing issue increased when I tried
to debug the daemon itself, placing a breakpoint in the
distribute_event() and/or dispatch_event() functions - in that case, I
could see all records going through, both in the execution path as in
the syslog.
Later also placed some debugging hooks in the process_inbound_event() in
the dispatcher code, and saw that records were already missing at that
point.
The lossy/lossless setting for the dispatcher queue doesn't appear to
affect this behavior. My tests involves a filesystem watch - when
triggered, only 3 records are generated (so not anywhere near the 128K
buffer size)
My env: RHEL 5 GA on s390x (sorry - no other box available for testing
at this time) with audit 1.6.2 (built from src.rpm as downloaded from
Steve's website).
Steve, btw, can you hold the audisp-racf merge a little bit? Found some
issues with selinux policy, the mapping to the remote system and believe
it or not, the plugin name itself :(
Thanks,
-Klaus Kiwi
next reply other threads:[~2007-11-08 16:54 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-08 16:54 Klaus Heinrich Kiwi [this message]
2007-11-08 17:34 ` event loss with dispatcher? Steve Grubb
2007-11-08 21:17 ` klausk
2007-11-08 21:55 ` Steve Grubb
2007-11-09 2:20 ` John Dennis
2007-11-09 14:23 ` Steve Grubb
2008-01-07 13:21 ` Klaus Heinrich Kiwi
-- strict thread matches above, loose matches on Subject: below --
2007-11-08 23:15 Klaus Heinrich Kiwi
2007-11-09 4:09 ` James Antill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1194540856.19673.26.camel@klausk.br.ibm.com \
--to=klausk@br.ibm.com \
--cc=Linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox