From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Mather <michael.mather@teksavvy.com>
Subject: Re: mode = forward
Date: Mon, 30 Jul 2012 14:50:23 -0400
Message-ID: <1343674223.2592.31.camel@debian.domain_name>
References: <1343524923.2542.18.camel@debian.domain_name>
	<50168955.9010307@linux.vnet.ibm.com>
	<1343656853.2592.26.camel@debian.domain_name> <2445199.J5ARC6Cxdg@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2445199.J5ARC6Cxdg@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Steve

I have upped the priority boost to 10 and the queue to 200
(in /etc/audisp/audispd.conf) and at first glance it runs fine.

I am also beginning to understand auditd a bit better.

Thanks for both.

Michael
-------

On Mon, 2012-07-30 at 10:24 -0400, Steve Grubb wrote:
> On Monday, July 30, 2012 10:00:53 AM Michael Mather wrote:
> > Yes, I discovered yesterday that store-and-forward ("mode=forward" in
> > audisp-remote.conf) was implemented in version 2.1, in March 2011.
> > Unfortunately, it is taking a while to be in Debian and Ubuntu.
> 
> And also backported to 1.8. However, 1.8 was the final release to that series 
> and I am only patching severe bugs in that series.
> 
>  
> > The older versions allow you to specify the queue length, but that would
> > appear to have no effect. It just seemed to be in the format of the
> > config file in anticipation of store-and-forward being available.
> > 
> > It is audispd that is complaining. Funny that it says "audispd: queue is
> > full - dropping event" when it is not using a queue.
> 
> There actually is a queue in audispd. Its memory resident and holds new events 
> while its feeding the current one to all the plugins. When this queue 
> overflows, the plugins are not working fast enough.
> 
> 
> > Anyway, I am left with several possibilities:
> > 
> > 1. Upgrade to a recent version (which?), even though the distribution
> > does not support it.
> 
> Open a support ticket then. The 1.8 version is compatible with the 1.7 series.
> 
>  
> > 2. Up the priority-boost in auditd.conf and/or audispd.conf.
> 
> That is normal for production systems. The default settings is to handle 
> setroubleshoot on a desktop system.
> 
>  
> > 3. Write the log locally and then have something monitor the file. What?
> > 
> > 4. Can auditd use rsyslog?
> 
> Yes. Use the audisp-syslog plugin. However, not using the audit daemon at all 
> will cause audit events to be in syslog. You just have to load the rules 
> yourself.
> 
> -Steve