On Tuesday, October 29, 2013 03:51:53 PM leam hall wrote:
The -f flag is set to 0, 1, or 2 and specifies what to do on failure.
Is
that "failure" any logging event? Or just logging events when the backlog
is higher than whatever the -b option sets it to?
Thanks!
Leam
From the auditctl man page:
This option lets you
determine how you want the kernel to handle critical errors.
Example conditions where this flag is consulted includes: transā
mission errors to userspace audit daemon, backlog limit
exceeded, out of kernel memory, and rate limit exceeded. The
default value is 1.
This is only for the kernel. User space error handling is dictated by the
*_action settings in auditd.conf.
-Steve