> Right you need to add a sleep. audit records do not show up instantaneously.
> How long it takes could be subject to debate. I'd be more interested in
> figuring that out.


I'll look into that, maybe we can find an answer, architecture, hardware & load dependent of course.


> > As it was explained to me, the way the stop works is when auditd is told to
> > "stop", the daemon dies,
>
> Not really. It goes through a series of steps to stop processing andwrite the
> shutdown record. It does not just die.


I think you took it a little too literally, but thats ok. I'll forgive you this once ;)
 
> > OK, good point. I remember it being mention during a meeting, but was there
> > any further discussion about a "auditd stop" & "auditd shutdown" option?
>
> No.

Deemed unnessecary & therefore pointless to further the debate?
 
- Mike