Re: Log rotation and client disconnects

[LC Bruzenak <lenny@magitekltd.com>]

On Thu, 2010-08-12 at 10:02 -0400, rshaw1@umbc.edu wrote:
> I've discovered the issue since I sent it, anyway.  If num_logs is set to
> 0, auditd will ignore explicit requests to rotate the logs.  I guess this
> may be intentional, but it's unfortunate as num_logs caps at 99 and I need
> to keep 365 of them.  I suppose that since I'll have to rename and bzip
> them anyway, I may as well just move them to another location (maybe
> /var/log/audit/archive) so that auditd doesn't "see" them, unless there's
> a better way to do this.

How big are your logfiles? Mine are 100MB each.
Each day I have to move mine out of the way for the same reasons.
However, the search tools are then impacted, since you'll need to know
where to find them. 
Also, since it appears you have a lot of data, I assume you are finding
performance issues on the audit-viewer?

> 
> I'm still not sure what to do about the disconnection issues (although
> hopefully those will be very infrequent once I'm no longer restarting any
> of the daemons).  If a client does lose the connection to the server for a
> while though (say, an hour-long network outage for networking upgrades),
> I'd like to be able to tell them to try reconnecting periodically, and the
> combination of network_retry_time and max_tries_per_record doesn't seem to
> be the way to do that.
> 
> Other than checking the logs, is there a way to determine whether or not a
> running audispd is connected to the remote server?

I do a combination of things to detect this on the sending side.
The network_failure_action of the audisp-remote.conf file allows for a
custom action using the "exec" option.

The remote_ending_action = reconnect helps if the  (server) restarts its
auditd. Maybe your version is different from mine but I get the
reconnects...

Also - I have a big ugly system involving timestamps and reconnect
logic.

> 
> >> I'm also having separate issues with some clients disconnecting from the
> >> server, retrying twice in about a 40 second interval, and then giving
> >> up.
> >> The server isn't going down, and this isn't even happening at the same
> >> time I was restarting auditd.
> >
> > Anything written to syslog on either end?
> 
> Nothing is on the server, but this is (everything) on the client:
> 
> Aug  4 23:12:07 host1 audisp-remote: connection to host2 closed unexpectedly
> Aug  4 23:12:07 host1 audisp-remote: Connected to host2
> Aug  4 23:12:12 host1 audisp-remote: connection to host2 closed unexpectedly
> Aug  4 23:12:42 host1 audisp-remote: network failure, max retry time
> exhausted

I will go back and read your previous posts; maybe something will click.

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com