Key based rate limiter (audit_set_rate_limit)
Anurag Aggarwal
anurag19aggarwal at gmail.com
Tue Feb 28 15:35:17 UTC 2023
Hello Paul,
Thank you for your information.
> If you have a particular audit
> rule which is too verbose *and* you are willing to lose audit records
> from that filter rule (which is what would happen if they were rate
> limited), you might want to consider making that audit filter rule
> more targeted to the event you are interested in logging. Generating
> more audit records than you want to see can be a sign of an overly
> general audit rule.
>
I agree that having rules which are too verbose is not a very good idea.
Beside this, is there any other mechanism which we can use to get a similar
effect?
--
Anurag Aggarwal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230228/c0716032/attachment.htm>
More information about the Linux-audit
mailing list