Re: Problem with auditd/SnareLinux on RHEL 5.3 - auditd glomming memory
On Thursday 19 February 2009 04:30:10 pm Smith, Gary R wrote:
When the setting for the output log format is set to
"NOLOG" (log_format
= NOLOG in auditd.conf) it appears that audit events are getting stacked
up in the internal message queue (audit_reply_list) and are not removed
from the stack after being written to the audit dispatcher daemon. The
result is the stack grows without end.
I have the following potential fix for audit version 1.7.11:
OK, I had a chance to look into this problem. The big clue was that its only
happening when NOLOG is given. The patch that was sent does fix the problem,
but it doesn't allow reconfigure (sighup) and on-demand log rotation
(sigusr1) to work either. What I believe is the correct fix was put into svn
as commit 252.
https://fedorahosted.org/audit/changeset/252
Thanks for the troubleshooting.
-Steve