Re: Another question - audit_lost
On Tuesday 22 February 2005 14:16, Erich Schubert wrote:
Yes, my log file is located in a ram disk, and the settings are
log_file = /etc/audit-open/mnt/audit.log
This is OK. But, there's one thing missing from your log in the first
post...the reason the record was lost. It should immediately follow the
message with audit_lost records totalled.
auditctl -s should give you the status of the audit system, make sure flag =
1. This tells the kernel to send the reason message to syslog. If you have
flag=0, then you'll never know why records are being dropped.
Can you look through the logs and see why records are being dropped?
Thanks,
-Steve Grubb