Events lost with dispatcher
Steve Grubb
sgrubb at redhat.com
Wed Mar 31 19:56:34 UTC 2010
On Wednesday 31 March 2010 03:48:35 pm Steve Grubb wrote:
> > I am losing events when using the dispatcher mode. (ex: there are 100
> > events to be received, I receive just 70)
>
> Is there anything in syslog from auditd? What is your priority boost in
> auditd.conf and audispd.conf?
Wait, you are writing a dispatcher...are you boosting your priority above
auditd? If not, you should probably increase it by at least 4. Your dispatcher
has to stay ahead of auditd.
-Steve
More information about the Linux-audit
mailing list