Re: kauditd is writing too many lines in syslog
On 14/01/20, Aaron Lewis wrote:
Hi,
I'm not sure if this is the default behavior,
I'm using audit 2.3.2, and I've configured auditd not to log anything
(NOLOG option), and I set the queue buffer to 10240 messages.
I assume this is because you are using remote logging or using the
dispatcher?
When the buffer is full or auditd is suddenly killed or for some
other
reason, it seems to write a lot of things to dmesg or
/var/log/messages
This is by design.
So, did kauditd wrote all these? I already killed auditd process but
I
can still see logs piling up.
If auditd has ever run, kaudit will continue to try delivering messages.
Can I ask kauditd not print anything if user space program cannot
handle that much message?
Sure, on the kernel boot line you can set audit=0 to disable kaudit, or
you can tell the init system to not start auditd.
Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
- RGB
--
Richard Guy Briggs <rbriggs(a)redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545