mode = forward

mode = forward

[Michael Mather]

I am using Ubuntu 12.04, which uses version 1.7.18 of auditd.

Audispd is complaining that the queue is full and it is dropping events.

According to the man page for audisp-remote.conf (as found at
linux.die.net), the parameter "mode" can be set to "immediate" or
"forward". "forward" means that events are buffered in a queue.

I found that "mode" was set to "immediate", and the queue did not exist.

But when I try to set the value as "forward" and restart auditd,
audisp-remote complains that "Option forward not found". And the queue
still gets full.

Last October, Steve was writing about how big the queue might be on this
very site.

Can someone explain what is going on?

Thanks - Michael
----------------

Re: mode = forward

[Marcelo Cerri]

Hi Michael,

Which component is complaining that the queue is full, audispd or 
audisp-remote? audisp-remote is used for remote logging and I'm not sure 
if this is your case. Can you provide us more information about this?

I took a quick look at the source code of version 1.7.18 of 
audisp-remote and it actually just supports "immediate" mode. Probably 
"forward" mode is supported by lately versions.

If audispd is complaining about its queue (instead of audisp-remote), 
you can try to increase the value of q_depth in the audispd.conf file.

Regards,
Marcelo

On 07/28/2012 10:22 PM, Michael Mather wrote:
> I am using Ubuntu 12.04, which uses version 1.7.18 of auditd.
>
> Audispd is complaining that the queue is full and it is dropping events.
>
> According to the man page for audisp-remote.conf (as found at
> linux.die.net), the parameter "mode" can be set to "immediate" or
> "forward". "forward" means that events are buffered in a queue.
>
> I found that "mode" was set to "immediate", and the queue did not exist.
>
> But when I try to set the value as "forward" and restart auditd,
> audisp-remote complains that "Option forward not found". And the queue
> still gets full.
>
> Last October, Steve was writing about how big the queue might be on this
> very site.
>
> Can someone explain what is going on?
>
> Thanks - Michael
> ----------------
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

Re: mode = forward

[Michael Mather]

Thanks, Marcello, for your reply.

Yes, I discovered yesterday that store-and-forward ("mode=forward" in
audisp-remote.conf) was implemented in version 2.1, in March 2011.
Unfortunately, it is taking a while to be in Debian and Ubuntu.

The older versions allow you to specify the queue length, but that would
appear to have no effect. It just seemed to be in the format of the
config file in anticipation of store-and-forward being available.

It is audispd that is complaining. Funny that it says "audispd: queue is
full - dropping event" when it is not using a queue.

Anyway, I am left with several possibilities:

1. Upgrade to a recent version (which?), even though the distribution
does not support it.

2. Up the priority-boost in auditd.conf and/or audispd.conf.

3. Write the log locally and then have something monitor the file. What?

4. Can auditd use rsyslog?

Any suggestions?

Michael
-------

On Mon, 2012-07-30 at 10:17 -0300, Marcelo Cerri wrote:
> Hi Michael,
> 
> Which component is complaining that the queue is full, audispd or 
> audisp-remote? audisp-remote is used for remote logging and I'm not sure 
> if this is your case. Can you provide us more information about this?
> 
> I took a quick look at the source code of version 1.7.18 of 
> audisp-remote and it actually just supports "immediate" mode. Probably 
> "forward" mode is supported by lately versions.
> 
> If audispd is complaining about its queue (instead of audisp-remote), 
> you can try to increase the value of q_depth in the audispd.conf file.
> 
> Regards,
> Marcelo
> 
> On 07/28/2012 10:22 PM, Michael Mather wrote:
> > I am using Ubuntu 12.04, which uses version 1.7.18 of auditd.
> >
> > Audispd is complaining that the queue is full and it is dropping events.
> >
> > According to the man page for audisp-remote.conf (as found at
> > linux.die.net), the parameter "mode" can be set to "immediate" or
> > "forward". "forward" means that events are buffered in a queue.
> >
> > I found that "mode" was set to "immediate", and the queue did not exist.
> >
> > But when I try to set the value as "forward" and restart auditd,
> > audisp-remote complains that "Option forward not found". And the queue
> > still gets full.
> >
> > Last October, Steve was writing about how big the queue might be on this
> > very site.
> >
> > Can someone explain what is going on?
> >
> > Thanks - Michael
> > ----------------
> >
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
> >

Re: mode = forward

[Steve Grubb]

On Saturday, July 28, 2012 09:22:03 PM Michael Mather wrote:
> I am using Ubuntu 12.04, which uses version 1.7.18 of auditd.
> 
> Audispd is complaining that the queue is full and it is dropping events.

This means you have a plugin that is not pulling events fast enough. Are you 
boosting the priority so that it gets more time slices? What plugins are you 
using?

You also want to increase the queue size if you have a busy system. And if you 
have increased the size and and boosted priority, then perhaps you have rules 
that collect too much information.


> According to the man page for audisp-remote.conf (as found at
> linux.die.net), the parameter "mode" can be set to "immediate" or
> "forward". "forward" means that events are buffered in a queue.

Forward means that it puts the event to a cache on disk and then tries to send 
it. Immediate means no queuing - it just tries to send.


> I found that "mode" was set to "immediate", and the queue did not exist.
> 
> But when I try to set the value as "forward" and restart auditd,
> audisp-remote complains that "Option forward not found". And the queue
> still gets full.

1.7.18 is a much older version of the audit system. It may not have all the 
features of the current software.


> Last October, Steve was writing about how big the queue might be on this
> very site.
> 
> Can someone explain what is going on?

If it does not recognize the forward option, then that feature is not 
available on the older software. There is a 1.8 release where this is 
"supported". But the 1.8 code is not being actively developed.

-Steve

Re: mode = forward

[Steve Grubb]

On Monday, July 30, 2012 10:00:53 AM Michael Mather wrote:
> Yes, I discovered yesterday that store-and-forward ("mode=forward" in
> audisp-remote.conf) was implemented in version 2.1, in March 2011.
> Unfortunately, it is taking a while to be in Debian and Ubuntu.

And also backported to 1.8. However, 1.8 was the final release to that series 
and I am only patching severe bugs in that series.

 
> The older versions allow you to specify the queue length, but that would
> appear to have no effect. It just seemed to be in the format of the
> config file in anticipation of store-and-forward being available.
> 
> It is audispd that is complaining. Funny that it says "audispd: queue is
> full - dropping event" when it is not using a queue.

There actually is a queue in audispd. Its memory resident and holds new events 
while its feeding the current one to all the plugins. When this queue 
overflows, the plugins are not working fast enough.


> Anyway, I am left with several possibilities:
> 
> 1. Upgrade to a recent version (which?), even though the distribution
> does not support it.

Open a support ticket then. The 1.8 version is compatible with the 1.7 series.

 
> 2. Up the priority-boost in auditd.conf and/or audispd.conf.

That is normal for production systems. The default settings is to handle 
setroubleshoot on a desktop system.

 
> 3. Write the log locally and then have something monitor the file. What?
> 
> 4. Can auditd use rsyslog?

Yes. Use the audisp-syslog plugin. However, not using the audit daemon at all 
will cause audit events to be in syslog. You just have to load the rules 
yourself.

-Steve

Re: mode = forward

[Michael Mather]

Steve

I have upped the priority boost to 10 and the queue to 200
(in /etc/audisp/audispd.conf) and at first glance it runs fine.

I am also beginning to understand auditd a bit better.

Thanks for both.

Michael
-------

On Mon, 2012-07-30 at 10:24 -0400, Steve Grubb wrote:
> On Monday, July 30, 2012 10:00:53 AM Michael Mather wrote:
> > Yes, I discovered yesterday that store-and-forward ("mode=forward" in
> > audisp-remote.conf) was implemented in version 2.1, in March 2011.
> > Unfortunately, it is taking a while to be in Debian and Ubuntu.
> 
> And also backported to 1.8. However, 1.8 was the final release to that series 
> and I am only patching severe bugs in that series.
> 
>  
> > The older versions allow you to specify the queue length, but that would
> > appear to have no effect. It just seemed to be in the format of the
> > config file in anticipation of store-and-forward being available.
> > 
> > It is audispd that is complaining. Funny that it says "audispd: queue is
> > full - dropping event" when it is not using a queue.
> 
> There actually is a queue in audispd. Its memory resident and holds new events 
> while its feeding the current one to all the plugins. When this queue 
> overflows, the plugins are not working fast enough.
> 
> 
> > Anyway, I am left with several possibilities:
> > 
> > 1. Upgrade to a recent version (which?), even though the distribution
> > does not support it.
> 
> Open a support ticket then. The 1.8 version is compatible with the 1.7 series.
> 
>  
> > 2. Up the priority-boost in auditd.conf and/or audispd.conf.
> 
> That is normal for production systems. The default settings is to handle 
> setroubleshoot on a desktop system.
> 
>  
> > 3. Write the log locally and then have something monitor the file. What?
> > 
> > 4. Can auditd use rsyslog?
> 
> Yes. Use the audisp-syslog plugin. However, not using the audit daemon at all 
> will cause audit events to be in syslog. You just have to load the rules 
> yourself.
> 
> -Steve