From: Steve Grubb <sgrubb@redhat.com>
To: Warron S French <warron.s.french@aero.org>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: ausearch produces a Warning
Date: Thu, 12 May 2016 21:32:35 -0400 [thread overview]
Message-ID: <20160512213235.48223c5d@ivy-bridge> (raw)
In-Reply-To: <BY1PR09MB088719EEBCC0CEFBF973C136C7730@BY1PR09MB0887.namprd09.prod.outlook.com>
On Thu, 12 May 2016 19:14:35 +0000
Warron S French <warron.s.french@aero.org> wrote:
> Hello all,
> I have audit logging working exactly as I want it now
> (thanks to you all), but when running ausearch on various systems
> (not all, which tells me something isn't consistent) I get a warning:
>
> Warning - freq is non-zero and incremental flushing not selected.
<snip>
> The question I have is, even this says "Warning" does it mean there
> is something I really need to be intensely looking into to prevent
> issues to come?
ausearch/report/auditd all share the same config file parser code. This
warning is actually not important for ausearch/report, but is
meaningful for auditd. What this means is that you have incremental
flushing halfway setup. Meaning that the value is non-zero as if you
intended to flush periodically, but you don't actually have incremental
selected as the flushing technique. The fix is to either select
incremental as the flushing technique or set freq to 0 so that its
consistent with the flush technique.
The reason that you would want to use incremental flushing is for
performance. I'd recommend 100 or 200 for the freq setting on a busy or
aggregating server. I'd recommend 50 for everyone else.
> I do not fully understand the impact of what the flush parameter. I
> am also trying to comply with a STIG as well; I think that's what has
> caused this message to be presented.
It means you may not be getting the logging performance that you
intended.
-Steve
next prev parent reply other threads:[~2016-05-13 1:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-12 19:14 ausearch produces a Warning Warron S French
2016-05-13 1:32 ` Steve Grubb [this message]
2016-05-13 11:51 ` Warron S French
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160512213235.48223c5d@ivy-bridge \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=warron.s.french@aero.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox