From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=lcdc=IP=redhat.com=linux-audit-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.3 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI,NICE_REPLY_A,
	SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BF3C3C433E6
	for <linux-audit@archiver.kernel.org>; Wed, 17 Mar 2021 14:33:04 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 0A1F664F26
	for <linux-audit@archiver.kernel.org>; Wed, 17 Mar 2021 14:33:03 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0A1F664F26
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=magitekltd.com
Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-422--dvBMujONZ6nFM2GZQQKaw-1; Wed, 17 Mar 2021 10:33:00 -0400
X-MC-Unique: -dvBMujONZ6nFM2GZQQKaw-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 777256D584;
	Wed, 17 Mar 2021 14:32:56 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 0BB555D9DE;
	Wed, 17 Mar 2021 14:32:55 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1D9D71809C83;
	Wed, 17 Mar 2021 14:32:52 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com
	[10.11.54.5])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 12HEWnU0014914 for <linux-audit@listman.util.phx.redhat.com>;
	Wed, 17 Mar 2021 10:32:50 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id D8574E5984; Wed, 17 Mar 2021 14:32:49 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D22B9E5989
	for <linux-audit@redhat.com>; Wed, 17 Mar 2021 14:32:47 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5C6B585A5BA
	for <linux-audit@redhat.com>; Wed, 17 Mar 2021 14:32:47 +0000 (UTC)
Received: from mail-oi1-f170.google.com (mail-oi1-f170.google.com
	[209.85.167.170]) (Using TLS) by relay.mimecast.com with ESMTP id
	us-mta-58-9rmajK-iNee-oFr2lPR-dw-1; Wed, 17 Mar 2021 10:32:43 -0400
X-MC-Unique: 9rmajK-iNee-oFr2lPR-dw-1
Received: by mail-oi1-f170.google.com with SMTP id x135so37471186oia.9
	for <linux-audit@redhat.com>; Wed, 17 Mar 2021 07:32:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:subject:to:references:from:message-id:date
	:user-agent:mime-version:in-reply-to:content-language;
	bh=5s4R9YtDs/rKK2gHzmHcm/DqdwUmMHHs9zF2gWpSGVc=;
	b=PdBFvNSW2mdRUynCTeZsYKnc2w1ABm/naZV7W2WYxv5pB0XpO8P0WGKApTG7t/axLx
	Xt1CgrB3qllg4L4JX8FlQOxuVwmpcCaQSUEjL04kdfaUfsUu9YoDLm3pIcrobijb27YF
	7TA7zuBbBC5xrl/daQuF7wgG92isbYqTFDY7Y3GpzOy7VU4MLdZUwWOoYPQ0VOQarhZb
	4jZ+fBezCbfKnpfxqGcLdK2po4xhbx6TuAmrw2VtjA5YpCs0u37X6A1lrCkTv5C2rt1C
	VVAkbABXZqNf9UfYebsrgmRI2dcUbm/O/TK8LMNwhlpMYqHk8XxgRLI+991cJW5Z4f6b
	txGA==
X-Gm-Message-State: AOAM533VdU5aMzJGDVz7JS473YLDJ0hKo4GJW4gi09QoTEXwJhci32vl
	ri2pJs2xxjCLf2sbgRPqErwtWKFqiWUaVfUF
X-Google-Smtp-Source: ABdhPJz6QZPg5UuHjYl25SLggrzq0vRboL/l6i1Q832h3augg7XvW0Y97BsUsWIlQQBKRDFh/88iZA==
X-Received: by 2002:aca:b645:: with SMTP id g66mr2917601oif.64.1615991562433; 
	Wed, 17 Mar 2021 07:32:42 -0700 (PDT)
Received: from [192.168.196.5] (072-178-215-006.res.spectrum.com.
	[72.178.215.6]) by smtp.gmail.com with ESMTPSA id
	t22sm8727289otl.49.2021.03.17.07.32.41 for <linux-audit@redhat.com>
	(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
	Wed, 17 Mar 2021 07:32:41 -0700 (PDT)
Subject: Re: Backlog not working with kernel 3.10
To: linux-audit@redhat.com
References: <CAKz+TUuPtycbqY37L3SJMsdJXw=3jW3_7fnSn0oJeP4QCV2TtQ@mail.gmail.com>
	<20210317014653.GT986374@madcap2.tricolour.ca>
From: Lenny Bruzenak <lenny@magitekltd.com>
Message-ID: <9800e9b0-0cea-d235-0c2e-ec82464520f7@magitekltd.com>
Date: Wed, 17 Mar 2021 09:32:40 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
	Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <20210317014653.GT986374@madcap2.tricolour.ca>
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-loop: linux-audit@redhat.com
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: multipart/mixed; boundary="===============3116532106214315312=="

This is a multi-part message in MIME format.
--===============3116532106214315312==
Content-Type: multipart/alternative;
	boundary="------------1F414E617396389DBE5993C8"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------1F414E617396389DBE5993C8
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 3/16/21 8:46 PM, Richard Guy Briggs wrote:

>> I have run some simple commands in /data that  should be logged , e.g.
>> touch file, mkdir dir. Finally, I have run auditctl-s and expected to see
>> the backlog events counter go up, but it's still 0. If I start auditd
>> again, the events are never logged. Am I missing something here?
> So, since you haven't indicated if you have tried and tested this
> already, please start by running those simple commands while the auditd
> service is running and verifying that those commands do get logged as
> expected.  If they don't, fix that first.

I was wondering if the events are delivered to syslog
(/var/log/messages) instead while the auditd is down?

Mine are, same kernel version 3.10.0. From the kernel perspective, no
backlog?. However, if I stop both audit and rsyslog, add some events the
backlog count doesn't increase and I can't see where the events may have
been delivered.

LCB

-- 
Lenny Bruzenak
MagitekLTD


--------------1F414E617396389DBE5993C8
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p>On 3/16/21 8:46 PM, Richard Guy Briggs wrote:<br>
    </p>
    <blockquote type="cite"
      cite="mid:20210317014653.GT986374@madcap2.tricolour.ca">
      <blockquote type="cite" style="color: #007cff;">
        <pre class="moz-quote-pre" wrap="">
I have run some simple commands in /data that  should be logged , e.g.
touch file, mkdir dir. Finally, I have run auditctl-s and expected to see
the backlog events counter go up, but it's still 0. If I start auditd
again, the events are never logged. Am I missing something here?
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">So, since you haven't indicated if you have tried and tested this
already, please start by running those simple commands while the auditd
service is running and verifying that those commands do get logged as
expected.  If they don't, fix that first.</pre>
    </blockquote>
    <p>I was wondering if the events are delivered to syslog
      (/var/log/messages) instead while the auditd is down? <br>
    </p>
    <p>Mine are, same kernel version 3.10.0. From the kernel
      perspective, no backlog?. However, if I stop both audit and
      rsyslog, add some events the backlog count doesn't increase and I
      can't see where the events may have been delivered. <br>
    </p>
    <p>LCB<br>
    </p>
    <pre class="moz-signature" cols="72">-- 
Lenny Bruzenak
MagitekLTD</pre>
  </body>
</html>

--------------1F414E617396389DBE5993C8--

--===============3116532106214315312==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
--===============3116532106214315312==--