Re: What constitutes -f failure?

On Tuesday, October 29, 2013 03:51:53 PM leam hall wrote: > The -f flag is set to 0, 1, or 2 and specifies what to do on failure. Is > that "failure" any logging event? Or just logging events when the backlog > is higher than whatever the -b option sets it to? > > Thanks! > > Leam From the auditctl man page: This option lets you determine how you want the kernel to handle critical errors. Example conditions where this flag is consulted includes: trans‐ mission errors to userspace audit daemon, backlog limit exceeded, out of kernel memory, and rate limit exceeded. The default value is 1. This is only for the kernel. User space error handling is dictated by the *_action settings in auditd.conf. -Steve