Trying to understand audisp-remote network behavior
Ken Hornstein
kenh at pobox.com
Tue Jul 12 15:49:52 UTC 2022
>> I would like to speak to those people who use it reliably in production!
>> Specifically, do they have heartbeats configured?
>
>Hello Ken, been fielding systems for a very long time now.
>
>Yes. I've always had heartbeats configured on.
Thank you for your reply!
So I am wondering ...
- Did you ever try without heartbeats configured on?
- Do you see the same things that I see, in that if there is a connection
drop you don't get a connection retry unless you don't get an audit event
within the heartbeat interval?
- What _do_ you have your heartbeat interval set to? I settled on 120
seconds basically as a guess and that seems to work based on the
amount of audit activity we get (it is bursty enough that so far
we've always had a idle interval of at least 120 seconds).
Thanks for any feedback you can give me!
--Ken
More information about the Linux-audit
mailing list