On Tuesday 14 June 2005 15:34, Michael C Thompson wrote:
However, without putting sleeps (e.g. sleep(2); seems to be the most
effective) before we call "../auditd stop" then the records in file which
we are hoping to verify with are not there, unless we prolong the stop
(i.e. with a sleep).
Something else you can do is poll the backlog.
[root@linux ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=1439 rate_limit=0 backlog_limit=256 lost=0
backlog=0
Will tell you the current backlog. When it goes to 0, everything has been sent
to auditd.
-Steve