Log rotation and client disconnects

[rshaw1 at umbc.edu]

I've been having a few issues lately with auditd.  I'm running the version
packaged with RHEL5 (1.7.17), with one machine collecting logs for a few
hundred others using audisp.

I had been using logrotate to rotate the logs (in order to get them named
with a date extension, bzipped a day after being rotated, etc.)  I thought
that restarting the daemons each night might be causing issues with many
clients trying to reconnect at once, so I tried using copytruncate in
order to avoid restarting.  This appears to make auditd crash, so I'm
looking at using its built-in rotation.  However, "service auditd rotate"
does not do anything.  The man page says this "will consult the
max_log_size_action to see if it should keep the logs or not", but I'm not
sure what that means; there is "max_log_file_action", which I have set to
"ignore" as the FAQ specifies.

I'm also having separate issues with some clients disconnecting from the
server, retrying twice in about a 40 second interval, and then giving up. 
The server isn't going down, and this isn't even happening at the same
time I was restarting auditd.  I would really like the clients to make
more of an effort at reconnecting.  I have the configuration options set
like so on the clients, but maybe I'm misunderstanding what they do:

network_retry_time = 30
max_tries_per_record = 60
max_time_per_record = 5
...
remote_ending_action = reconnect

Finally, if anyone has any recommendations for setting tcp_listen_queue on
the server (I'm not sure if this is supposed to indicate a number of audit
messages or clients) and queue_depth on the clients when using a few
hundred clients, that would be great.

Thanks for any assistance,

--Ray