Backlog exceeded when using audisp

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Andy Ruch <adruch2002@yahoo.com>
To: Audit ML <linux-audit@redhat.com>
Subject: Backlog exceeded when using audisp
Date: Wed, 13 Aug 2014 14:37:52 -0700	[thread overview]
Message-ID: <1407965872.73962.YahooMailNeo@web120705.mail.ne1.yahoo.com> (raw)

[-- Attachment #1.1: Type: text/plain, Size: 1302 bytes --]

Hello,

I'm trying to send the audit logs on a secure RHEL 6.5 system to rsyslog. Rsyslog will then send them to another system for centralized collection. I can't have audisp send them directly because the connectivity is unreliable and rsyslog provides on disk queues for reliable delivery. I've activated the syslogplugin of audisp to do the transfer. The problem is getting the logs transferred fast enough. The system is configured to panic upon error (-f 2), which it does frequently when I do something like update the SELinux RPM since watching /etc/selinux is required by the STIG. 

I have the audit buffer size configured to 8192 and the audisp queue set to 120. I'm surprised the 8192 buffer is being overwhelmed. When I look at aureport for just the time frame of the action, I get approximately 350 events. I know that each event may have multiple entries, but it is interesting that the capacity of a buffer over 20 times bigger is being exceeded.

Can anyone in a similar situation share any insights? Is there a faster way to transfer the logs rather than the audispsyslogplugin? We use to have rsyslog monitor the audit.log file but ran into some issues when we started dealing with log file rollover. And it just seems cleaner to send the audit logs directly.

Thanks,
Andrew Ruch

[-- Attachment #1.2: Type: text/html, Size: 3510 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

next             reply	other threads:[~2014-08-13 21:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-13 21:37 Andy Ruch [this message]
2014-08-14 12:50 ` Backlog exceeded when using audisp Steve Grubb
  -- strict thread matches above, loose matches on Subject: below --
2014-08-14 20:12 Andy Ruch
2014-08-15 18:01 ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1407965872.73962.YahooMailNeo@web120705.mail.ne1.yahoo.com \
    --to=adruch2002@yahoo.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox