[PATCH] Add auditd listener and remote audit protocol
LC Bruzenak
lenny at magitekltd.com
Fri Aug 15 00:22:24 UTC 2008
On Thu, 2008-08-14 at 20:07 -0400, Steve Grubb wrote:
> On Thursday 14 August 2008 19:50:23 LC Bruzenak wrote:
> > I cannot speak for other end-users...but my guess is that if they are
> > using audit and aggregating they probably care about not dropping it,
> > whereas others can just syslog the events if the auditd isn't enabled
> > and then use centralized syslog, right?
>
> Does syslog queue unsent messages and recover them?
>
> -Steve
Not AFAIK...but then again it isn't configurable to panic the machine on
failure.
I think you have a good point - this is the first cut and maybe later on
institute a "replay daemon" or something which can send events on
reconnect.
We will not lose them locally so that's covered. After that it is a
different problem.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list