[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another question - audit_lost



On Tuesday 22 February 2005 14:16, Erich Schubert wrote:
> Yes, my log file is located in a ram disk, and the settings are
> log_file = /etc/audit-open/mnt/audit.log

This is OK. But, there's one thing missing from your log in the first 
post...the reason the record was lost. It should immediately follow the 
message with audit_lost records totalled.

auditctl -s should give you the status of the audit system, make sure flag = 
1. This tells the kernel to send the reason message to syslog. If you have 
flag=0, then you'll never know why records are being dropped.

Can you look through the logs and see why records are being dropped?

Thanks,
-Steve Grubb


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]