Backlog not working with kernel 3.10
Richard Guy Briggs
rgb at redhat.com
Thu Mar 18 01:16:47 UTC 2021
On 2021-03-16 18:25, Alan Evangelista wrote:
> I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
> test the backlog, but it seems it's not working at all.
> First I turned auditd off so that events are not consumed:
> # service stop auditd
>
> Then I make sure that the backlog size is greater than 0:
> # auditctl -s
> enabled 1
> failure 1
> pid 0
> backlog_limit 8192
> lost 0
> backlog 0
This is a bit of a long shot, and I note the "enabled 1" while "pid 0"
above, but have you got "audit=1" in the kernel boot parameters? If
not, what happens if you add it?
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list