mode = forward

[Steve Grubb]

On Monday, July 30, 2012 10:00:53 AM Michael Mather wrote:
> Yes, I discovered yesterday that store-and-forward ("mode=forward" in
> audisp-remote.conf) was implemented in version 2.1, in March 2011.
> Unfortunately, it is taking a while to be in Debian and Ubuntu.

And also backported to 1.8. However, 1.8 was the final release to that series 
and I am only patching severe bugs in that series.

 
> The older versions allow you to specify the queue length, but that would
> appear to have no effect. It just seemed to be in the format of the
> config file in anticipation of store-and-forward being available.
> 
> It is audispd that is complaining. Funny that it says "audispd: queue is
> full - dropping event" when it is not using a queue.

There actually is a queue in audispd. Its memory resident and holds new events 
while its feeding the current one to all the plugins. When this queue 
overflows, the plugins are not working fast enough.


> Anyway, I am left with several possibilities:
> 
> 1. Upgrade to a recent version (which?), even though the distribution
> does not support it.

Open a support ticket then. The 1.8 version is compatible with the 1.7 series.

 
> 2. Up the priority-boost in auditd.conf and/or audispd.conf.

That is normal for production systems. The default settings is to handle 
setroubleshoot on a desktop system.

 
> 3. Write the log locally and then have something monitor the file. What?
> 
> 4. Can auditd use rsyslog?

Yes. Use the audisp-syslog plugin. However, not using the audit daemon at all 
will cause audit events to be in syslog. You just have to load the rules 
yourself.

-Steve