audit.20 kernel

Steve Grubb sgrubb at redhat.com
Mon Apr 11 19:31:16 UTC 2005


On Monday 11 April 2005 15:13, David Woodhouse wrote:
> Is the audit dæmon flushing the queue completely before it shuts down,
> or just exiting immediately? The message should definitely be in the
> queue before the signal is delivered.

When it receives the term signal, it stops looking for netlink packets, writes 
a normal termination event, sets a flag for the other thread to finish the 
backlog and exit, the main thread waits for the logger thread and then 
terminates.

When the audit daemon shuts down, the kernel will start sending audit events 
to syslog. That's why I included both syslog and audit.log.

-Steve




More information about the Linux-audit mailing list