From mboxrd@z Thu Jan  1 00:00:00 1970
From: rshaw1@umbc.edu
Subject: Log rotation and client disconnects
Date: Mon, 9 Aug 2010 12:59:50 -0400 (EDT)
Message-ID: <56567.128.63.24.134.1281373190.squirrel@webmail.umbc.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com
	[10.5.110.12])
	by int-mx08.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id o79H0BkM023601
	for <linux-audit@redhat.com>; Mon, 9 Aug 2010 13:00:11 -0400
Received: from mx2.umbc.edu (mx2.umbc.edu [130.85.25.77])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o79H00xs000689
	for <linux-audit@redhat.com>; Mon, 9 Aug 2010 13:00:00 -0400
Received: from smtp.umbc.edu (localhost [127.0.0.1])
	by umbc.edu (mx2.umbc.edu) with ESMTP id o79Gxo9c029001
	for <linux-audit@redhat.com>; Mon, 9 Aug 2010 12:59:59 -0400 (EDT)
Received: from webmail.umbc.edu (webmail1.umbc.edu [130.85.24.52])
	by smtp.umbc.edu (mx2-relay.umbc.edu) with ESMTP id o79GxoMV028998
	for <linux-audit@redhat.com>; Mon, 9 Aug 2010 12:59:50 -0400 (EDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I've been having a few issues lately with auditd.  I'm running the version
packaged with RHEL5 (1.7.17), with one machine collecting logs for a few
hundred others using audisp.

I had been using logrotate to rotate the logs (in order to get them named
with a date extension, bzipped a day after being rotated, etc.)  I thought
that restarting the daemons each night might be causing issues with many
clients trying to reconnect at once, so I tried using copytruncate in
order to avoid restarting.  This appears to make auditd crash, so I'm
looking at using its built-in rotation.  However, "service auditd rotate"
does not do anything.  The man page says this "will consult the
max_log_size_action to see if it should keep the logs or not", but I'm not
sure what that means; there is "max_log_file_action", which I have set to
"ignore" as the FAQ specifies.

I'm also having separate issues with some clients disconnecting from the
server, retrying twice in about a 40 second interval, and then giving up. 
The server isn't going down, and this isn't even happening at the same
time I was restarting auditd.  I would really like the clients to make
more of an effort at reconnecting.  I have the configuration options set
like so on the clients, but maybe I'm misunderstanding what they do:

network_retry_time = 30
max_tries_per_record = 60
max_time_per_record = 5
...
remote_ending_action = reconnect

Finally, if anyone has any recommendations for setting tcp_listen_queue on
the server (I'm not sure if this is supposed to indicate a number of audit
messages or clients) and queue_depth on the clients when using a few
hundred clients, that would be great.

Thanks for any assistance,

--Ray