Re: Weird issues in 2.6.5
On Wednesday, July 13, 2016 10:51:07 AM EDT Chris Nandor wrote:
The only reason I am even upgrading is because of the issues with
audisp-remote, the not-reconnecting, and the apparent client-side
buffering, that went away with 2.4.x and 2.6.x. So if we decide to ship
logs a different way than with audisp-remote, then it might be best to
stick with 1.7.x.
This sounds a lot like the idle detection is not set right. In audisp-
remote.conf there is a setting heartbeat_timeout. This should be set to
something like 60 or 120. Then on the server in auditd.conf there is a setting
tcp_client_max_idle which should be over twice as high as heartbeat_timeout.
So, you'd set it to 180 or 300.
That said, so far I see no issues, so we're going to forge ahead
and see
what happens. I just need to keep in mind what our mitigation plan would
be if we do run into issues.
Old utilities won't know what to do with enriched events. AFAICS, that would
be the long term issue. You'll need to do aperl, awk, or cut command to trim
off the unknown part of the event in your logs.
-Steve