Re: mode = forward

[Steve Grubb <sgrubb@redhat.com>]

On Saturday, July 28, 2012 09:22:03 PM Michael Mather wrote:
> I am using Ubuntu 12.04, which uses version 1.7.18 of auditd.
> 
> Audispd is complaining that the queue is full and it is dropping events.

This means you have a plugin that is not pulling events fast enough. Are you 
boosting the priority so that it gets more time slices? What plugins are you 
using?

You also want to increase the queue size if you have a busy system. And if you 
have increased the size and and boosted priority, then perhaps you have rules 
that collect too much information.


> According to the man page for audisp-remote.conf (as found at
> linux.die.net), the parameter "mode" can be set to "immediate" or
> "forward". "forward" means that events are buffered in a queue.

Forward means that it puts the event to a cache on disk and then tries to send 
it. Immediate means no queuing - it just tries to send.


> I found that "mode" was set to "immediate", and the queue did not exist.
> 
> But when I try to set the value as "forward" and restart auditd,
> audisp-remote complains that "Option forward not found". And the queue
> still gets full.

1.7.18 is a much older version of the audit system. It may not have all the 
features of the current software.


> Last October, Steve was writing about how big the queue might be on this
> very site.
> 
> Can someone explain what is going on?

If it does not recognize the forward option, then that feature is not 
available on the older software. There is a 1.8 release where this is 
"supported". But the 1.8 code is not being actively developed.

-Steve