From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: ausearch produces a Warning Date: Thu, 12 May 2016 21:32:35 -0400 Message-ID: <20160512213235.48223c5d@ivy-bridge> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Warron S French Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com On Thu, 12 May 2016 19:14:35 +0000 Warron S French wrote: > Hello all, > I have audit logging working exactly as I want it now > (thanks to you all), but when running ausearch on various systems > (not all, which tells me something isn't consistent) I get a warning: > > Warning - freq is non-zero and incremental flushing not selected. > The question I have is, even this says "Warning" does it mean there > is something I really need to be intensely looking into to prevent > issues to come? ausearch/report/auditd all share the same config file parser code. This warning is actually not important for ausearch/report, but is meaningful for auditd. What this means is that you have incremental flushing halfway setup. Meaning that the value is non-zero as if you intended to flush periodically, but you don't actually have incremental selected as the flushing technique. The fix is to either select incremental as the flushing technique or set freq to 0 so that its consistent with the flush technique. The reason that you would want to use incremental flushing is for performance. I'd recommend 100 or 200 for the freq setting on a busy or aggregating server. I'd recommend 50 for everyone else. > I do not fully understand the impact of what the flush parameter. I > am also trying to comply with a STIG as well; I think that's what has > caused this message to be presented. It means you may not be getting the logging performance that you intended. -Steve