audit.20 kernel
Steve Grubb
sgrubb at redhat.com
Mon Apr 11 19:31:16 UTC 2005
On Monday 11 April 2005 15:13, David Woodhouse wrote:
> Is the audit dæmon flushing the queue completely before it shuts down,
> or just exiting immediately? The message should definitely be in the
> queue before the signal is delivered.
When it receives the term signal, it stops looking for netlink packets, writes
a normal termination event, sets a flag for the other thread to finish the
backlog and exit, the main thread waits for the logger thread and then
terminates.
When the audit daemon shuts down, the kernel will start sending audit events
to syslog. That's why I included both syslog and audit.log.
-Steve
More information about the Linux-audit
mailing list