1:13 a.m.
Hello All!
I have a question.
Let's assume we have client's audit service and audit gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?
Any help would be appreciated.
Thank you in advance.
9:32 a.m.
On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
Hello All!
I have a question.
So do I. :-)
Which version of the audit package are you using? There were some logging
robustness updates in the 2.8 series.
Let's assume we have client's audit service and audit
gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
So, if I understand this scenario, you are starting the client side while the
server is down?
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart?
Typically, you need to send SIGUSR2 to audisp-remote.
Is it possible by any settings/configs?
Any help would be appreciated.
I'll look into it, but please if you could let me know the answer to the
above 2 questions.
-Steve
12:55 p.m.
On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
Let's assume we have client's audit service and audit
gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?
Please give audit-2.8.4 a shot. It should solve this problem.
-Steve
8:19 a.m.
Hello, Steve!
The solution is verified! There is no problem.
Thank you so much!
Good luck!
20.06.2018 20:55, Steve Grubb пишет:
On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
> Let's assume we have client's audit service and audit gatherer placed on
> a remote host.
>
> Using au-remote plugin client sends logs to remote.
>
> Let's stop (do not start then) remote's audit service and restart
> client's one.
>
> After that overcome max_restarts limit (e.g. default 10) from
> /etc/audisp/audispd.conf by audit's events.
>
> Then start remote's audit service and trigger any audit event on client.
> But audisp-remote process is dead ("plugin /sbin/audisp-remote has
> exceeded max_restarts").
>
> How can i solve this issue without client's audit service
> restart? Is it possible by any settings/configs?
Please give audit-2.8.4 a shot. It should solve this problem.
-Steve
2370
days inactive
2445
days old
linux-audit@lists.linux-audit.osci.io
3 comments
2 participants
participants (2)
-
Levin Stanislav -
Steve Grubb