Re: space_left_action
On Thu, 2009-07-30 at 16:23 -0400, Steve Grubb wrote:
On Thursday 30 July 2009 04:13:54 pm LC Bruzenak wrote:
> Good news: When I set the space_left_action to syslog and crossed the
> boundary, I got a syslog message on the next audit event. Subsequent
> events did not generate any further syslog messages.
>
> Then I freed up disk space, sent in a few events for good measure
> (thinking it would reset the flag) and once again filled the disk past
> the threshold.
> Bad news: I didn't get the message again.
Did you do a "service auditd resume" ?
> Should this behavior have happened as I expected and another log message
> get into the messages log? Or as coded would the auditd need restart?
You shouldn't need to restart it, but you should tell it to resume.
-Steve
Thanks for the info Steve!
I would think the manual resume option appropriate definitely for the
"suspend" option...but not really the syslog.
Is there a reason to not have it reset if the space is freed?
So if eventually I need to patch this, would you:
1: accept a change?
2: also want another parameter like "autoresume_on_space_free = false"
to preserve this behavior?
Thanks,
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com