From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Events lost with dispatcher
Date: Wed, 31 Mar 2010 15:56:34 -0400
Message-ID: <201003311556.34422.sgrubb@redhat.com>
References: <28B815FA-A40A-4864-8268-79FA1D5223C6@gmail.com>
	<DB8A3DAD-C9E3-4EB3-AB04-415CA9F828C9@gmail.com>
	<201003311548.35428.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <201003311548.35428.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 31 March 2010 03:48:35 pm Steve Grubb wrote:
> > I am losing events when using the dispatcher mode. (ex: there are 100  
> > events to be received, I receive just 70)
> 
> Is there anything in syslog from auditd? What is your priority boost in 
> auditd.conf and audispd.conf?

Wait, you are writing a dispatcher...are you boosting your priority above 
auditd? If not, you should probably increase it by at least 4. Your dispatcher 
has to stay ahead of auditd.

-Steve