Problem with auditd/SnareLinux on RHEL 5.3 - auditd glomming memory
Steve Grubb
sgrubb at redhat.com
Sat Feb 21 13:07:22 UTC 2009
On Thursday 19 February 2009 04:30:10 pm Smith, Gary R wrote:
> When the setting for the output log format is set to "NOLOG" (log_format
> = NOLOG in auditd.conf) it appears that audit events are getting stacked
> up in the internal message queue (audit_reply_list) and are not removed
> from the stack after being written to the audit dispatcher daemon. The
> result is the stack grows without end.
>
> I have the following potential fix for audit version 1.7.11:
OK, I had a chance to look into this problem. The big clue was that its only
happening when NOLOG is given. The patch that was sent does fix the problem,
but it doesn't allow reconfigure (sighup) and on-demand log rotation
(sigusr1) to work either. What I believe is the correct fix was put into svn
as commit 252.
https://fedorahosted.org/audit/changeset/252
Thanks for the troubleshooting.
-Steve
More information about the Linux-audit
mailing list