Re: buffer space

On Monday 17 August 2009 10:49:55 am David Flatley wrote: > If I were to move all the rotated logs to another directory, > say /home/logs. So instead of doing "ausearch -i" to capture all the > information in the rotated logs in > /var/log/audit directory. I would do "ausearch -i -f /home/logs" , correct? > Yes. > Backlog is set to 12288 right now. > ok > The SECSCAN requires many -w (watches) and a fair amount of syscalls. I > modified the syscalls to add your recommendation for using "arch=b32" and > "arch=b64". > Are there any public references to this standard? > Because I was getting errors restarting the auditd on some of their > recommendations one of which was mount? > Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386. > Another setting I believe was doing me in was the log size is 20 megs and > I allow 8 rotated logs. But I had admin_disk_full set to 160 and the action > was suspend. > So this could have been tripping me up also. > If the partition was 320Mb or smaller, then yes that would be a problem. But I also think the fact that its being suspended is sent to syslog. > I would like to be able to do the audit log extractions (ausearch and > aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a > script in max_log_file_action. > So if I set the max_log_file to 160, I can then run a script to move the > rotated logs and process them, thus not stopping auditd and keeping things > working? > Yes, I think so. But if you are hooking max_log_file action, then you would need to send sigusr1 to ppid to get auditd to rotate the log and open another one. If you don't, auditd will still have an open descriptor to the file. -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit