Re: [PATCH] Add auditd listener and remote audit protocol
On Thursday 14 August 2008 19:26:49 LC Bruzenak wrote:
My one auditd machine gets very busy occasionally - I sometimes drop
events (rather than abort for a development machine) even after
ratcheting up my event queue to 8K.
I believe that this is a problem in the audit code. The scheduler changed
sometimes around 2.6.25 and I started seeing it when I hadn't previously. I
have a real strong idea what the problem is after talk with Chris Wright
about it, but am at a loss for how to make it better. I hope to address this
in the coming days since adding more load to auditd will make it worse.
Now the question is what happens if the network hiccups and I cannot
send the events from a client?
There will be a couple admin defined actions just like when disk logging has
problems. Anyone that wants to enhance what is in this first cut, please send
patches.
I could still write the events to the local disk, but them getting
them onto
the intended aggregator is now tricky right? Will the sender keep track of
the last event sent and recover once the connection is restored?
At first, I think a best effort solution is what we'll have. IPA's delivery
service will be a more robust solution with failover capabilities. I do not
envision going to that length with auditd.
-Steve