* space_left_action
@ 2009-07-30 20:13 LC Bruzenak
2009-07-30 20:23 ` space_left_action Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: LC Bruzenak @ 2009-07-30 20:13 UTC (permalink / raw)
To: Linux Audit
Good news: When I set the space_left_action to syslog and crossed the
boundary, I got a syslog message on the next audit event. Subsequent
events did not generate any further syslog messages.
Then I freed up disk space, sent in a few events for good measure
(thinking it would reset the flag) and once again filled the disk past
the threshold.
Bad news: I didn't get the message again.
Should this behavior have happened as I expected and another log message
get into the messages log? Or as coded would the auditd need restart?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: space_left_action
2009-07-30 20:13 space_left_action LC Bruzenak
@ 2009-07-30 20:23 ` Steve Grubb
2009-07-30 21:12 ` space_left_action LC Bruzenak
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2009-07-30 20:23 UTC (permalink / raw)
To: linux-audit
On Thursday 30 July 2009 04:13:54 pm LC Bruzenak wrote:
> Good news: When I set the space_left_action to syslog and crossed the
> boundary, I got a syslog message on the next audit event. Subsequent
> events did not generate any further syslog messages.
>
> Then I freed up disk space, sent in a few events for good measure
> (thinking it would reset the flag) and once again filled the disk past
> the threshold.
> Bad news: I didn't get the message again.
Did you do a "service auditd resume" ?
> Should this behavior have happened as I expected and another log message
> get into the messages log? Or as coded would the auditd need restart?
You shouldn't need to restart it, but you should tell it to resume.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: space_left_action
2009-07-30 20:23 ` space_left_action Steve Grubb
@ 2009-07-30 21:12 ` LC Bruzenak
0 siblings, 0 replies; 3+ messages in thread
From: LC Bruzenak @ 2009-07-30 21:12 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
On Thu, 2009-07-30 at 16:23 -0400, Steve Grubb wrote:
> On Thursday 30 July 2009 04:13:54 pm LC Bruzenak wrote:
> > Good news: When I set the space_left_action to syslog and crossed the
> > boundary, I got a syslog message on the next audit event. Subsequent
> > events did not generate any further syslog messages.
> >
> > Then I freed up disk space, sent in a few events for good measure
> > (thinking it would reset the flag) and once again filled the disk past
> > the threshold.
> > Bad news: I didn't get the message again.
>
> Did you do a "service auditd resume" ?
>
> > Should this behavior have happened as I expected and another log message
> > get into the messages log? Or as coded would the auditd need restart?
>
> You shouldn't need to restart it, but you should tell it to resume.
>
> -Steve
Thanks for the info Steve!
I would think the manual resume option appropriate definitely for the
"suspend" option...but not really the syslog.
Is there a reason to not have it reset if the space is freed?
So if eventually I need to patch this, would you:
1: accept a change?
2: also want another parameter like "autoresume_on_space_free = false"
to preserve this behavior?
Thanks,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-07-30 21:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-07-30 20:13 space_left_action LC Bruzenak
2009-07-30 20:23 ` space_left_action Steve Grubb
2009-07-30 21:12 ` space_left_action LC Bruzenak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox