Re: Backlog not working with kernel 3.10
On 2021-03-16 18:25, Alan Evangelista wrote:
I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and
trying to
test the backlog, but it seems it's not working at all.
First I turned auditd off so that events are not consumed:
# service stop auditd
Then I make sure that the backlog size is greater than 0:
# auditctl -s
enabled 1
failure 1
pid 0
backlog_limit 8192
lost 0
backlog 0
This is a bit of a long shot, and I note the "enabled 1" while "pid
0"
above, but have you got "audit=1" in the kernel boot parameters? If
not, what happens if you add it?
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635