Re: Weird issues in 2.6.5

On Wednesday, July 13, 2016 10:51:07 AM EDT Chris Nandor wrote: > The only reason I am even upgrading is because of the issues with > audisp-remote, the not-reconnecting, and the apparent client-side > buffering, that went away with 2.4.x and 2.6.x. So if we decide to ship > logs a different way than with audisp-remote, then it might be best to > stick with 1.7.x. This sounds a lot like the idle detection is not set right. In audisp- remote.conf there is a setting heartbeat_timeout. This should be set to something like 60 or 120. Then on the server in auditd.conf there is a setting tcp_client_max_idle which should be over twice as high as heartbeat_timeout. So, you'd set it to 180 or 300. > That said, so far I see no issues, so we're going to forge ahead and see > what happens. I just need to keep in mind what our mitigation plan would > be if we do run into issues. Old utilities won't know what to do with enriched events. AFAICS, that would be the long term issue. You'll need to do aperl, awk, or cut command to trim off the unknown part of the event in your logs. -Steve