From mboxrd@z Thu Jan  1 00:00:00 1970
From: DJ Delorie <dj@redhat.com>
Subject: Re: audit collection
Date: Mon, 15 Sep 2008 13:24:28 -0400
Message-ID: <200809151724.m8FHOSIB011019@greed.delorie.com>
References: <1221263768.6502.121.camel@homeserver>
	<200809130005.m8D05b5i013462@greed.delorie.com>
	<1221498947.6846.31.camel@homeserver>
Return-path: <linux-audit-bounces@redhat.com>
In-reply-to: <1221498947.6846.31.camel@homeserver> (message from LC Bruzenak
	on Mon, 15 Sep 2008 12:15:47 -0500)
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: LC Bruzenak <lenny@magitekltd.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


> Sep 15 11:48:14 comms audispd: queue is full - dropping event
> 
> I assume this indicates the problem - sending isn't happening so the
> audispd queue fills.

Yes, this means nothing is getting across the network.  Have you tried
running tcpdump on the client side?  Or running gdb on the running
audisp-remote to see where it's stuck.

> I'd have expected an audisp syslog error though.

I do log all the errors I could detect, so I don't know what's
happening here.  Those syslog errors are likely from audisp itself,
not the remote plugin.

It would help if you could try it between two 32 bit hosts.  At least
that would remove the "int size bug" possibility.