From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: audit-1.7.16 released Date: Tue, 17 Nov 2009 22:16:35 -0600 Message-ID: References: <200910171155.43836.sgrubb@redhat.com> <200911161059.05503.sgrubb@redhat.com> <200911171648.28642.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: Linux Audit List-Id: linux-audit@redhat.com On Tue, Nov 17, 2009 at 9:52 PM, LC Bruzenak wrote: > On Tue, Nov 17, 2009 at 3:48 PM, Steve Grubb wrote: >> On Monday 16 November 2009 06:52:24 pm LC Bruzenak wrote: >>> > You should have daemon start/end events at the aggregator. Are they not >>> > getting there? Also, the aggregator should have matching >>> > connect/disconnect events. >>> >>> I am not getting the DAEMON_END events. In an orderly shutdown, the >>> network shuts down before the audit daemon does. >> >> OK, I'll take a look to see if things can be reordered to let this event get >> sent. >> >> -Steve >> > > Thanks, that would help in the case where the client shuts down normally. > There is definitely utility in having a positive event come from the > sender saying it is shutting down. > > But if the client gets the power cord yanked out it doesn't help me, > so I'll still try to add something on the server side to add a local > audit event as well as the syslog. > OK, I see it appears it would work as expected. I see that the "close_client" gets called on a client timeout, and it does send a AUDIT_DAEMON_CLOSE event. I will test that ASAP. I assume a client which just drops off would hit this case. Thx! LCB. -- LC (Lenny) Bruzenak