Events lost with dispatcher

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* Events lost with dispatcher
@ 2010-03-31 19:07 Vishwanath Venkatesan
  2010-03-31 19:26 ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: Vishwanath Venkatesan @ 2010-03-31 19:07 UTC (permalink / raw)
  To: linux-audit

Hi,

I having troubles receiving events with the dispatcher in ubuntu-9.04.

I am just trying to use the rule
-a entry, always -S execve -S exit_group
I receive all the events in the audit.log, but not in the dispatcher.
I am using the dispatcher code in the auditd website.

I also using two threads where in one thread collects all the data and  
the other thread does the parsing.
So there is no blocking and the queue is an unbounded concurrent queue.
I don't think there can't anything else done at the receiving end.

If anyone has faced something similar or have suggestions, please let  
me know

Thanks
Vish

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Events lost with dispatcher
  2010-03-31 19:07 Events lost with dispatcher Vishwanath Venkatesan
@ 2010-03-31 19:26 ` Steve Grubb
  2010-03-31 19:32   ` Vishwanath Venkatesan
  0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2010-03-31 19:26 UTC (permalink / raw)
  To: linux-audit

On Wednesday 31 March 2010 03:07:59 pm Vishwanath Venkatesan wrote:
> I having troubles receiving events with the dispatcher in ubuntu-9.04.

What kind of trouble? Is the process running? Does strace show it doing 
anything? If it is doing something, I'd add syslog calls to debug it.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Events lost with dispatcher
  2010-03-31 19:26 ` Steve Grubb
@ 2010-03-31 19:32   ` Vishwanath Venkatesan
  2010-03-31 19:48     ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: Vishwanath Venkatesan @ 2010-03-31 19:32 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

The process is running, I get all the events in audit.log if I use  
'RAW' mode,
I am losing events when using the dispatcher mode. (ex: there are 100  
events to be received, I receive just 70)
Moreover there is no delay in the dispatcher's end as  I  have it  
multithreaded.

I am using the skeleton code to receive events in the dispatcher.

- Vish
On Mar 31, 2010, at 3:26 PM, Steve Grubb wrote:

> On Wednesday 31 March 2010 03:07:59 pm Vishwanath Venkatesan wrote:
>> I having troubles receiving events with the dispatcher in  
>> ubuntu-9.04.
>
> What kind of trouble? Is the process running? Does strace show it  
> doing
> anything? If it is doing something, I'd add syslog calls to debug it.
>
> -Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Events lost with dispatcher
  2010-03-31 19:32   ` Vishwanath Venkatesan
@ 2010-03-31 19:48     ` Steve Grubb
  2010-03-31 19:56       ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2010-03-31 19:48 UTC (permalink / raw)
  To: Vishwanath Venkatesan; +Cc: linux-audit

On Wednesday 31 March 2010 03:32:33 pm Vishwanath Venkatesan wrote:
> The process is running, I get all the events in audit.log if I use  
> 'RAW' mode,

This only affects disk logging and has no effect on dispatching.

> I am losing events when using the dispatcher mode. (ex: there are 100  
> events to be received, I receive just 70)

Is there anything in syslog from auditd? What is your priority boost in 
auditd.conf and audispd.conf?

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Events lost with dispatcher
  2010-03-31 19:48     ` Steve Grubb
@ 2010-03-31 19:56       ` Steve Grubb
  2010-04-07 12:44         ` Matthew Booth
  0 siblings, 1 reply; 7+ messages in thread
From: Steve Grubb @ 2010-03-31 19:56 UTC (permalink / raw)
  To: linux-audit

On Wednesday 31 March 2010 03:48:35 pm Steve Grubb wrote:
> > I am losing events when using the dispatcher mode. (ex: there are 100  
> > events to be received, I receive just 70)
> 
> Is there anything in syslog from auditd? What is your priority boost in 
> auditd.conf and audispd.conf?

Wait, you are writing a dispatcher...are you boosting your priority above 
auditd? If not, you should probably increase it by at least 4. Your dispatcher 
has to stay ahead of auditd.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Events lost with dispatcher
  2010-03-31 19:56       ` Steve Grubb
@ 2010-04-07 12:44         ` Matthew Booth
  2010-04-07 13:00           ` Steve Grubb
  0 siblings, 1 reply; 7+ messages in thread
From: Matthew Booth @ 2010-04-07 12:44 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit

On 31/03/10 20:56, Steve Grubb wrote:
> Wait, you are writing a dispatcher...are you boosting your priority above 
> auditd? If not, you should probably increase it by at least 4. Your dispatcher 
> has to stay ahead of auditd.

On a related note, has there been any more thought about loading
dispatchers into auditd itself as dynamic libraries? This would solve
this problem, and also the issue of accidentally writing a rule which is
triggered by a dispatcher, causing a DOS.

Matt
-- 
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team

M:       +44 (0)7977 267231
GPG ID:  D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Events lost with dispatcher
  2010-04-07 12:44         ` Matthew Booth
@ 2010-04-07 13:00           ` Steve Grubb
  0 siblings, 0 replies; 7+ messages in thread
From: Steve Grubb @ 2010-04-07 13:00 UTC (permalink / raw)
  To: Matthew Booth; +Cc: linux-audit

On Wednesday 07 April 2010 08:44:08 am Matthew Booth wrote:
> On 31/03/10 20:56, Steve Grubb wrote:
> > Wait, you are writing a dispatcher...are you boosting your priority above
> > auditd? If not, you should probably increase it by at least 4. Your
> > dispatcher has to stay ahead of auditd.
> 
> On a related note, has there been any more thought about loading
> dispatchers into auditd itself as dynamic libraries?

Its been in the official TODO file for about 7-8 months. There just isn't any 
time for me to work on it right now or for a few more months.


> This would solve this problem, 

This particular problem turned out to be a bad Ubuntu kernel. Everything works 
as advertised when he switched to Fedora.


> and also the issue of accidentally writing a rule which is
> triggered by a dispatcher, causing a DOS.

-Steve

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2010-04-07 13:00 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-03-31 19:07 Events lost with dispatcher Vishwanath Venkatesan
2010-03-31 19:26 ` Steve Grubb
2010-03-31 19:32   ` Vishwanath Venkatesan
2010-03-31 19:48     ` Steve Grubb
2010-03-31 19:56       ` Steve Grubb
2010-04-07 12:44         ` Matthew Booth
2010-04-07 13:00           ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox