auditd stop suggestion
Steve Grubb
sgrubb at redhat.com
Tue Jun 14 21:28:14 UTC 2005
On Tuesday 14 June 2005 15:34, Michael C Thompson wrote:
> However, without putting sleeps (e.g. sleep(2); seems to be the most
> effective) before we call "../auditd stop" then the records in file which
> we are hoping to verify with are not there, unless we prolong the stop
> (i.e. with a sleep).
Something else you can do is poll the backlog.
[root at linux ~]# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=1439 rate_limit=0 backlog_limit=256 lost=0
backlog=0
Will tell you the current backlog. When it goes to 0, everything has been sent
to auditd.
-Steve
More information about the Linux-audit
mailing list