Backlog not working with kernel 3.10
Richard Guy Briggs
rgb at redhat.com
Wed Mar 17 16:06:14 UTC 2021
On 2021-03-17 09:32, Lenny Bruzenak wrote:
> On 3/16/21 8:46 PM, Richard Guy Briggs wrote:
>
> >> I have run some simple commands in /data that should be logged , e.g.
> >> touch file, mkdir dir. Finally, I have run auditctl-s and expected to see
> >> the backlog events counter go up, but it's still 0. If I start auditd
> >> again, the events are never logged. Am I missing something here?
> > So, since you haven't indicated if you have tried and tested this
> > already, please start by running those simple commands while the auditd
> > service is running and verifying that those commands do get logged as
> > expected. If they don't, fix that first.
>
> I was wondering if the events are delivered to syslog
> (/var/log/messages) instead while the auditd is down?
>
> Mine are, same kernel version 3.10.0. From the kernel perspective, no
> backlog?. However, if I stop both audit and rsyslog, add some events the
> backlog count doesn't increase and I can't see where the events may have
> been delivered.
If audit is enabled, but auditd isn't registered, it should fill the
backlog since rsyslog and journald aren't considered reliable delivery
even if those messages appear in the latter two.
> LCB
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list