From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Cerri Subject: Re: mode = forward Date: Mon, 30 Jul 2012 10:17:09 -0300 Message-ID: <50168955.9010307@linux.vnet.ibm.com> References: <1343524923.2542.18.camel@debian.domain_name> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.21]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q6UDHHRZ019261 for ; Mon, 30 Jul 2012 09:17:18 -0400 Received: from e24smtp05.br.ibm.com (e24smtp05.br.ibm.com [32.104.18.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6UDHFKn023071 for ; Mon, 30 Jul 2012 09:17:15 -0400 Received: from /spool/local by e24smtp05.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 30 Jul 2012 10:17:13 -0300 Received: from d24relay03.br.ibm.com (d24relay03.br.ibm.com [9.13.184.25]) by d24dlp02.br.ibm.com (Postfix) with ESMTP id EA3341DC004B for ; Mon, 30 Jul 2012 09:17:11 -0400 (EDT) Received: from d24av02.br.ibm.com (d24av02.br.ibm.com [9.8.31.93]) by d24relay03.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q6UDGNOw21037090 for ; Mon, 30 Jul 2012 10:16:23 -0300 Received: from d24av02.br.ibm.com (loopback [127.0.0.1]) by d24av02.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q6UDHBiN004682 for ; Mon, 30 Jul 2012 10:17:11 -0300 In-Reply-To: <1343524923.2542.18.camel@debian.domain_name> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi Michael, Which component is complaining that the queue is full, audispd or audisp-remote? audisp-remote is used for remote logging and I'm not sure if this is your case. Can you provide us more information about this? I took a quick look at the source code of version 1.7.18 of audisp-remote and it actually just supports "immediate" mode. Probably "forward" mode is supported by lately versions. If audispd is complaining about its queue (instead of audisp-remote), you can try to increase the value of q_depth in the audispd.conf file. Regards, Marcelo On 07/28/2012 10:22 PM, Michael Mather wrote: > I am using Ubuntu 12.04, which uses version 1.7.18 of auditd. > > Audispd is complaining that the queue is full and it is dropping events. > > According to the man page for audisp-remote.conf (as found at > linux.die.net), the parameter "mode" can be set to "immediate" or > "forward". "forward" means that events are buffered in a queue. > > I found that "mode" was set to "immediate", and the queue did not exist. > > But when I try to set the value as "forward" and restart auditd, > audisp-remote complains that "Option forward not found". And the queue > still gets full. > > Last October, Steve was writing about how big the queue might be on this > very site. > > Can someone explain what is going on? > > Thanks - Michael > ---------------- > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit >