Audit pipe full
Steve Grubb
sgrubb at redhat.com
Fri Mar 9 20:28:56 UTC 2007
On Friday 09 March 2007 15:20, Ameel Kamboh wrote:
> Does this mean the dispatcher is now turned of or I just loose those
> events.
No. You need to look in /etc/audit/auditd.conf to see what your disp_qos
setting is. The options are lossy and blocking.
> Currently I am not seeing any events in SNARE and trying to trouble
> shoot where the issue is.
There is a sample program: /usr/share/doc/audit-1.3.1/skeleton.c that is an
event dispatcher, too. You can build and install it. It sends events to
syslog. If that works then the problem is the snare piece. If that program
fails, let me know.
-Steve
More information about the Linux-audit
mailing list