Re: kauditd is writing too many lines in syslog
Hi Guys,
Yes just like what Steve says.
I use a dispatcher to handle all logs, and rather discard them all if
the dispatcher can't handle it.
And no, the dispatcher is a perl program runs locally, not remote
logging. (I replaced the 'dispatcher=' line in auditd.conf)
On Tue, Jan 21, 2014 at 2:24 AM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
On 14/01/20, Steve Grubb wrote:
> On Mon, 20 Jan 2014 12:36:27 -0500
> Richard Guy Briggs <rgb(a)redhat.com> wrote:
>
> > > Can I ask kauditd not print anything if user space program cannot
> > > handle that much message?
> >
> > Sure, on the kernel boot line you can set audit=0 to disable kaudit,
> > or you can tell the init system to not start auditd.
>
> what if someone never wants events to go to syslog?
Then we need to add a new feature to kaudit to stop them.
This also begs the question of what happens to AUDIT_USER_AVC
messages... This patchwork is messy.
> -Steve
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Best Regards,
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33