audisp-remote options

[Nicholas Nachefski]

I worked through a situation awhile back and wanted to send a quick post to
the list describing how i solved it in case anyone else may be needing help.

The issue i cam across was that several of my customer boxes stopped logging
to my consolidated audit server via audisp-remote.  I received messages in
the local /var/log/messages files for these servers stating that the network
connection to my log server had been broken and that audisp-remote was
terminating.  Obviously, i need audisp-remote to not terminate when it cant
find the log server and to keep attempting to re-connect(while spooling
events locally, see 'q_depth').

The corrective action i took that resolved my issue was to adjust two
parameters in the /etc/audisp/audisp-remote.conf config file:

I modified the following parameters:

network_failure_action = stop
remote_ending_action = suspend

and changed them to:

network_failure_action = ignore
remote_ending_action = reconnect

and now all of my customer boxes are reporting without stoppage, even when
the network or log server is temporarily unavailable.  I imagine the local
audit buffer will fill up on the client side though if your network or log
server is unavailable for any extended period of time.

Just though i would share in case anyone needs help with this.

-Nick Nachefski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20091116/bdf87584/attachment.htm>