From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Clear kernel audit buffer? Date: Mon, 13 Jan 2014 14:24:38 -0500 Message-ID: <20140113192438.GC23577@madcap2.tricolour.ca> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Aaron Lewis Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On 13/12/26, Aaron Lewis wrote: > Hi, > > I'm doing a stress test on auditd, so I add a rule to monitor "open" > syscall, then I use a c program to generate massive amount of logs. > The program finished and exited. > > But I generated too much, if I kill auditd and start it again, I can > still see a lot of type=SYSCALL logs. (But not CWD or PATH) > > Can I clear the existing buffer? Did you remove the rule that caused the massive amount of logging? Auditd will drain that buffer. The default is a queue of 64 messages, which should drain reasonably quickly if the rule has been removed and the queue length hasn't been overridden to a huge value. Otherwise, there is no other way to drain that buffer. > Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545