From: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
To: DJ Delorie <dj@redhat.com>
Cc: linux-audit <linux-audit@redhat.com>
Subject: Re: [PATCH] Add error-handling actions to audisp-remote
Date: Fri, 29 Aug 2008 16:40:58 -0300 [thread overview]
Message-ID: <1220038858.6673.60.camel@klausk.br.ibm.com> (raw)
In-Reply-To: <200808281847.m7SIlbHs001641@greed.delorie.com>
On Thu, 2008-08-28 at 14:47 -0400, DJ Delorie wrote:
> Third in a series.
> (http://www.redhat.com/archives/linux-audit/2008-August/msg00118.html)
>
> The goal of this patch is to robustify the error handling in the
> client end of the remote protocol. The following changes are made
> by this patch:
>
> * Failure to send a record to the aggregator results in a series of
> retry attempts, tunable by the administrator.
>
> * Overall network failure (after retries) and server-indicated error
> conditions now have admin-specified actions associated with them.
>
> * Miscellaneous additional error handling for reads and writes.
>
> Comments?
>
I regret not having time to properly review the patches, but I just read
the discussion around the possibility of queuing messages that happened
around Aug. 14th.
(I remember having a similar discussion with Steve a couple of months
ago), but I was wondering if it would be possible to stop reading from
stdin once we detect a temporary network outage (or could be extended to
other errors conditions).
Having the last serial that was successfully sent, once the error
condition is gone we could use auparse calls to read the logs, starting
exactly at (event serial + 1) and processing all events until we 'meet
again' at the last event seen on stdin (which are immediately discarded
while we process the queue), and then resuming from there (back to
reading stdin).
I don't know the details of AMQP but it's possible that it involves a
secondary storage on disk. I wonder if we could achieve the same
robustness without relying on duplicating the data (audit logs and
queue).
On another subject, I liked how you are capable of returning error
conditions from the server, and then have an action for each of those.
If I have the time, I'll see what I can do to mimic this behavior in the
zos-remote plugin.
Thanks!
-Klaus
--
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center
next prev parent reply other threads:[~2008-08-29 19:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-28 18:47 [PATCH] Add error-handling actions to audisp-remote DJ Delorie
2008-08-29 14:49 ` Steve Grubb
2008-08-29 19:40 ` Klaus Heinrich Kiwi [this message]
2008-08-29 19:50 ` DJ Delorie
2008-12-15 7:45 ` Chu Li
2008-12-22 20:04 ` Steve Grubb
2008-12-23 13:19 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1220038858.6673.60.camel@klausk.br.ibm.com \
--to=klausk@linux.vnet.ibm.com \
--cc=dj@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox