From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B66DCC433DB for ; Wed, 17 Mar 2021 16:06:35 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1492061606 for ; Wed, 17 Mar 2021 16:06:34 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1492061606 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1615997193; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ouLkQd7jE0Vnrb+IhaU1KdwhL9R9WsdXVpHZZNCfauk=; b=RMOO4KqcE/6wGOPggWJ73QD413Y2reWnbJir9G+Zd0NkKGb+2qCVDh6KYQY2b0E6n/DGBr /HnMfSC6NJbrlA4DNfPzaFlYf6qWq8bvu7BZ25ccB7LJuIvXsY3VlU/Vnh/UFxtbWzQkN5 0vHHHowIjUgElDmcl3xuqIYpb7cql6k= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-369-I_akEdZyPsCzbNTpHxxezw-1; Wed, 17 Mar 2021 12:06:32 -0400 X-MC-Unique: I_akEdZyPsCzbNTpHxxezw-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 25063612A9; Wed, 17 Mar 2021 16:06:28 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E49D310074FC; Wed, 17 Mar 2021 16:06:27 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 99EBB4BB7C; Wed, 17 Mar 2021 16:06:27 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12HG6Pgm026741 for ; Wed, 17 Mar 2021 12:06:25 -0400 Received: by smtp.corp.redhat.com (Postfix) id A8E525D9C0; Wed, 17 Mar 2021 16:06:25 +0000 (UTC) Received: from madcap2.tricolour.ca (unknown [10.10.110.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9C4D55D9D3; Wed, 17 Mar 2021 16:06:17 +0000 (UTC) Date: Wed, 17 Mar 2021 12:06:14 -0400 From: Richard Guy Briggs To: Lenny Bruzenak Subject: Re: Backlog not working with kernel 3.10 Message-ID: <20210317160614.GV986374@madcap2.tricolour.ca> References: <20210317014653.GT986374@madcap2.tricolour.ca> <9800e9b0-0cea-d235-0c2e-ec82464520f7@magitekltd.com> MIME-Version: 1.0 In-Reply-To: <9800e9b0-0cea-d235-0c2e-ec82464520f7@magitekltd.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: linux-audit@redhat.com Cc: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 2021-03-17 09:32, Lenny Bruzenak wrote: > On 3/16/21 8:46 PM, Richard Guy Briggs wrote: > > >> I have run some simple commands in /data that should be logged , e.g. > >> touch file, mkdir dir. Finally, I have run auditctl-s and expected to see > >> the backlog events counter go up, but it's still 0. If I start auditd > >> again, the events are never logged. Am I missing something here? > > So, since you haven't indicated if you have tried and tested this > > already, please start by running those simple commands while the auditd > > service is running and verifying that those commands do get logged as > > expected. If they don't, fix that first. > > I was wondering if the events are delivered to syslog > (/var/log/messages) instead while the auditd is down? > > Mine are, same kernel version 3.10.0. From the kernel perspective, no > backlog?. However, if I stop both audit and rsyslog, add some events the > backlog count doesn't increase and I can't see where the events may have > been delivered. If audit is enabled, but auditd isn't registered, it should fill the backlog since rsyslog and journald aren't considered reliable delivery even if those messages appear in the latter two. > LCB - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit