check_second_connection stopping my recovery?
LC Bruzenak
lenny at magitekltd.com
Wed Nov 18 23:01:10 UTC 2009
It appears to me as though the new connection code in auditd-listen.c
is stopping my recovery actions.
My aggregator is getting a constant stream of:
op=dup addr=192.168.10.10:43546 port=43546 res=no
I was going back through the events on disk, scooping them up and
sending them to the aggregation machine as Steve suggested a long
while back (using an ausearch then piping the results to
audisp-remote).
So it appears to me that this is now prohibited. Was this intentional?
Thx,
LCB.
--
LC (Lenny) Bruzenak
More information about the Linux-audit
mailing list