kauditd is writing too many lines in syslog
Aaron Lewis
the.warl0ck.1989 at gmail.com
Mon Jan 20 18:34:13 UTC 2014
Hi Guys,
Yes just like what Steve says.
I use a dispatcher to handle all logs, and rather discard them all if
the dispatcher can't handle it.
And no, the dispatcher is a perl program runs locally, not remote
logging. (I replaced the 'dispatcher=' line in auditd.conf)
On Tue, Jan 21, 2014 at 2:24 AM, Richard Guy Briggs <rgb at redhat.com> wrote:
> On 14/01/20, Steve Grubb wrote:
>> On Mon, 20 Jan 2014 12:36:27 -0500
>> Richard Guy Briggs <rgb at redhat.com> wrote:
>>
>> > > Can I ask kauditd not print anything if user space program cannot
>> > > handle that much message?
>> >
>> > Sure, on the kernel boot line you can set audit=0 to disable kaudit,
>> > or you can tell the init system to not start auditd.
>>
>> what if someone never wants events to go to syslog?
>
> Then we need to add a new feature to kaudit to stop them.
>
> This also begs the question of what happens to AUDIT_USER_AVC
> messages... This patchwork is messy.
>
>> -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rbriggs at redhat.com>
> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33
More information about the Linux-audit
mailing list