Backlog not working with kernel 3.10
Lenny Bruzenak
lenny at magitekltd.com
Wed Mar 17 14:32:40 UTC 2021
On 3/16/21 8:46 PM, Richard Guy Briggs wrote:
>> I have run some simple commands in /data that should be logged , e.g.
>> touch file, mkdir dir. Finally, I have run auditctl-s and expected to see
>> the backlog events counter go up, but it's still 0. If I start auditd
>> again, the events are never logged. Am I missing something here?
> So, since you haven't indicated if you have tried and tested this
> already, please start by running those simple commands while the auditd
> service is running and verifying that those commands do get logged as
> expected. If they don't, fix that first.
I was wondering if the events are delivered to syslog
(/var/log/messages) instead while the auditd is down?
Mine are, same kernel version 3.10.0. From the kernel perspective, no
backlog?. However, if I stop both audit and rsyslog, add some events the
backlog count doesn't increase and I can't see where the events may have
been delivered.
LCB
--
Lenny Bruzenak
MagitekLTD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20210317/45b7c7fa/attachment.htm>
More information about the Linux-audit
mailing list