From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: buffer space Date: Thu, 13 Aug 2009 16:29:02 +0100 Message-ID: <4A84313E.3010809@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: David Flatley Cc: Linux-audit@redhat.com List-Id: linux-audit@redhat.com On 13/08/09 15:56, David Flatley wrote: > Red Hat 5.3 running audit 1.7.7-6 > Rotating logs at 20 megs and allowing 8 logs > Rules have watches and syscalls from the SECSCAN recommendations, and > have added some of Steve Grubb's recommendations. > When we extract and archive the audit logs we get "Error receiving audit > netlink packet (No buffer space available) an "error sending signal info > request" Where do you get these messages? Are they in /var/log/messages? > Our extract is: stop auditd then create a file and run ausearch -i > > file then run an aureport -i > file then once that is done we delete all > the logs and restart auditd. You don't want to be stopping auditd. I'd either look harder into the command line arguments to ausearch and aureport and combine ussage with 'service auditd rotate', or use a different collection mechanism. Also, how are you stopping auditd? Are you using 'service auditd stop'? If so, you are losing data because it removes audit rules when it stops. If you are using somethine else like SIGSTOP, the kernel is sensitive to the audit daemon not being responsive. This is likely to cause problems. Can you post the exact script you're using? Matt -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490