mode = forward
Marcelo Cerri
mhcerri at linux.vnet.ibm.com
Mon Jul 30 13:17:09 UTC 2012
Hi Michael,
Which component is complaining that the queue is full, audispd or
audisp-remote? audisp-remote is used for remote logging and I'm not sure
if this is your case. Can you provide us more information about this?
I took a quick look at the source code of version 1.7.18 of
audisp-remote and it actually just supports "immediate" mode. Probably
"forward" mode is supported by lately versions.
If audispd is complaining about its queue (instead of audisp-remote),
you can try to increase the value of q_depth in the audispd.conf file.
Regards,
Marcelo
On 07/28/2012 10:22 PM, Michael Mather wrote:
> I am using Ubuntu 12.04, which uses version 1.7.18 of auditd.
>
> Audispd is complaining that the queue is full and it is dropping events.
>
> According to the man page for audisp-remote.conf (as found at
> linux.die.net), the parameter "mode" can be set to "immediate" or
> "forward". "forward" means that events are buffered in a queue.
>
> I found that "mode" was set to "immediate", and the queue did not exist.
>
> But when I try to set the value as "forward" and restart auditd,
> audisp-remote complains that "Option forward not found". And the queue
> still gets full.
>
> Last October, Steve was writing about how big the queue might be on this
> very site.
>
> Can someone explain what is going on?
>
> Thanks - Michael
> ----------------
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list