From mboxrd@z Thu Jan 1 00:00:00 1970 From: rshaw1@umbc.edu Subject: Re: Log rotation and client disconnects Date: Thu, 12 Aug 2010 10:02:29 -0400 (EDT) Message-ID: <58805.128.63.24.134.1281621749.squirrel@webmail.umbc.edu> References: <56567.128.63.24.134.1281373190.squirrel@webmail.umbc.edu> <201008091353.32210.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11]) by int-mx03.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o7CE2fdm018126 for ; Thu, 12 Aug 2010 10:02:41 -0400 Received: from mx5.umbc.edu (mx5.umbc.edu [130.85.25.80]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o7CE2U42003846 for ; Thu, 12 Aug 2010 10:02:30 -0400 Received: from smtp.umbc.edu (localhost [127.0.0.1]) by umbc.edu (mx5.umbc.edu) with ESMTP id o7CE2TLi000876 for ; Thu, 12 Aug 2010 10:02:29 -0400 (EDT) Received: from webmail.umbc.edu (webmail1.umbc.edu [130.85.24.52]) by smtp.umbc.edu (mx5-relay.umbc.edu) with ESMTP id o7CE2TdM000868 for ; Thu, 12 Aug 2010 10:02:29 -0400 (EDT) In-Reply-To: <201008091353.32210.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com I just realized that my last reply went only to Steve Grubb, and not the list. Sorry about that. This Webmail client is pretty awful, but at the moment, I have to use it. I've discovered the issue since I sent it, anyway. If num_logs is set to 0, auditd will ignore explicit requests to rotate the logs. I guess this may be intentional, but it's unfortunate as num_logs caps at 99 and I need to keep 365 of them. I suppose that since I'll have to rename and bzip them anyway, I may as well just move them to another location (maybe /var/log/audit/archive) so that auditd doesn't "see" them, unless there's a better way to do this. I'm still not sure what to do about the disconnection issues (although hopefully those will be very infrequent once I'm no longer restarting any of the daemons). If a client does lose the connection to the server for a while though (say, an hour-long network outage for networking upgrades), I'd like to be able to tell them to try reconnecting periodically, and the combination of network_retry_time and max_tries_per_record doesn't seem to be the way to do that. Other than checking the logs, is there a way to determine whether or not a running audispd is connected to the remote server? >> I'm also having separate issues with some clients disconnecting from the >> server, retrying twice in about a 40 second interval, and then giving >> up. >> The server isn't going down, and this isn't even happening at the same >> time I was restarting auditd. > > Anything written to syslog on either end? Nothing is on the server, but this is (everything) on the client: Aug 4 23:12:07 host1 audisp-remote: connection to host2 closed unexpectedly Aug 4 23:12:07 host1 audisp-remote: Connected to host2 Aug 4 23:12:12 host1 audisp-remote: connection to host2 closed unexpectedly Aug 4 23:12:42 host1 audisp-remote: network failure, max retry time exhausted Thanks, --Ray