Weird issues in 2.6.5
Steve Grubb
sgrubb at redhat.com
Wed Jul 13 18:38:26 UTC 2016
On Wednesday, July 13, 2016 10:51:07 AM EDT Chris Nandor wrote:
> The only reason I am even upgrading is because of the issues with
> audisp-remote, the not-reconnecting, and the apparent client-side
> buffering, that went away with 2.4.x and 2.6.x. So if we decide to ship
> logs a different way than with audisp-remote, then it might be best to
> stick with 1.7.x.
This sounds a lot like the idle detection is not set right. In audisp-
remote.conf there is a setting heartbeat_timeout. This should be set to
something like 60 or 120. Then on the server in auditd.conf there is a setting
tcp_client_max_idle which should be over twice as high as heartbeat_timeout.
So, you'd set it to 180 or 300.
> That said, so far I see no issues, so we're going to forge ahead and see
> what happens. I just need to keep in mind what our mitigation plan would
> be if we do run into issues.
Old utilities won't know what to do with enriched events. AFAICS, that would
be the long term issue. You'll need to do aperl, awk, or cut command to trim
off the unknown part of the event in your logs.
-Steve
More information about the Linux-audit
mailing list