From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andy Ruch <adruch2002@yahoo.com>
Subject: Backlog exceeded when using audisp
Date: Wed, 13 Aug 2014 14:37:52 -0700
Message-ID: <1407965872.73962.YahooMailNeo@web120705.mail.ne1.yahoo.com>
Reply-To: Andy Ruch <adruch2002@yahoo.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0375962976972210645=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com
	[10.5.110.16])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id s7DLbtgL008177
	for <linux-audit@redhat.com>; Wed, 13 Aug 2014 17:37:55 -0400
Received: from nm10-vm5.bullet.mail.ne1.yahoo.com
	(nm10-vm5.bullet.mail.ne1.yahoo.com [98.138.91.232])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s7DLbrUD012208
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Wed, 13 Aug 2014 17:37:54 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Audit ML <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============0375962976972210645==
Content-Type: multipart/alternative;
	boundary="1929490892-695622143-1407965872=:73962"

--1929490892-695622143-1407965872=:73962
Content-Type: text/plain; charset=us-ascii

Hello,

I'm trying to send the audit logs on a secure RHEL 6.5 system to rsyslog. Rsyslog will then send them to another system for centralized collection. I can't have audisp send them directly because the connectivity is unreliable and rsyslog provides on disk queues for reliable delivery. I've activated the syslogplugin of audisp to do the transfer. The problem is getting the logs transferred fast enough. The system is configured to panic upon error (-f 2), which it does frequently when I do something like update the SELinux RPM since watching /etc/selinux is required by the STIG. 


I have the audit buffer size configured to 8192 and the audisp queue set to 120. I'm surprised the 8192 buffer is being overwhelmed. When I look at aureport for just the time frame of the action, I get approximately 350 events. I know that each event may have multiple entries, but it is interesting that the capacity of a buffer over 20 times bigger is being exceeded.


Can anyone in a similar situation share any insights? Is there a faster way to transfer the logs rather than the audispsyslogplugin? We use to have rsyslog monitor the audit.log file but ran into some issues when we started dealing with log file rollover. And it just seems cleaner to send the audit logs directly.

Thanks,
Andrew Ruch

--1929490892-695622143-1407965872=:73962
Content-Type: text/html; charset=us-ascii

<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div style="" class="">Hello,</div><div style="" class=""><br style="" class=""></div><div class="yui_3_16_0_6_1407960085667_113" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">I'm trying to send the audit logs on a secure RHEL 6.5 system to rsyslog. Rsyslog will then send them to another system for centralized collection. I can't have audisp send them directly because the connectivity is unreliable and rsyslog provides on disk queues for reliable delivery. I've activated the syslog plugin of audisp
  to do the transfer. The problem is getting the logs <span id="misspell-8" class=""><span>transferred</span></span> fast enough. The system is configured to panic upon
 error (-f 2), which it does frequently when I do something like update the SELinux RPM since watching /etc/selinux is required by the STIG. <br></div><div class="yui_3_16_0_6_1407960085667_113" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">I have the audit buffer size <span id="misspell-12" class=""><span>configured</span></span> to 8192 and the audisp queue set to 120. I'm <span id="misspell-12" class=""><span>surprised</span></span> the 8192 buffer is being over
 whelmed. When I look at aureport for just the time frame of the action, I get approximately 350 events. I know that each event may have multiple entries, but it is
 interesting that the capacity of a buffer over 20 times bigger is being exceeded.<br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br style="" class=""></div><div class="yui_3_16_0_6_1407960085667_117" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">Can anyone in a similar situation share any insights? Is there a faster way to transfer the logs rather than the audisp syslog plugin? We use to have rsyslog monitor the audit.log file but ran into some issues when we started dealing with log file rollover. And it just
  seems cleaner to send the audit logs directly.</div><div class="yui_3_16_0_6_1407960085667_117" style="color: rgb(0, 0, 0); font-size: 16px; font-family:
 HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br></div><div class="yui_3_16_0_6_1407960085667_117" style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">Thanks,</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">Andrew Ruch<br style="" class=""></div></div></body></html>
--1929490892-695622143-1407965872=:73962--


--===============0375962976972210645==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0375962976972210645==--