space_left_action
LC Bruzenak
lenny at magitekltd.com
Thu Jul 30 21:12:26 UTC 2009
On Thu, 2009-07-30 at 16:23 -0400, Steve Grubb wrote:
> On Thursday 30 July 2009 04:13:54 pm LC Bruzenak wrote:
> > Good news: When I set the space_left_action to syslog and crossed the
> > boundary, I got a syslog message on the next audit event. Subsequent
> > events did not generate any further syslog messages.
> >
> > Then I freed up disk space, sent in a few events for good measure
> > (thinking it would reset the flag) and once again filled the disk past
> > the threshold.
> > Bad news: I didn't get the message again.
>
> Did you do a "service auditd resume" ?
>
> > Should this behavior have happened as I expected and another log message
> > get into the messages log? Or as coded would the auditd need restart?
>
> You shouldn't need to restart it, but you should tell it to resume.
>
> -Steve
Thanks for the info Steve!
I would think the manual resume option appropriate definitely for the
"suspend" option...but not really the syslog.
Is there a reason to not have it reset if the space is freed?
So if eventually I need to patch this, would you:
1: accept a change?
2: also want another parameter like "autoresume_on_space_free = false"
to preserve this behavior?
Thanks,
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list