Audit Dispatcher Design
Steve Grubb
sgrubb at redhat.com
Thu Sep 8 13:35:32 UTC 2005
On Wednesday 07 September 2005 17:57, Linda Knippers wrote:
> I was also wondering about the overall design goals, how we'd expect this to
> be used
That was stated here:
https://www.redhat.com/archives/linux-audit/2005-August/msg00073.html
> and what the performance and error handling characteristics would be.
No performance goal. There is a queue between auditd & audisp to decouple the
rate of processing.
What can you say about error handling other than it must be correct? auditd is
not going away. It will be the method for reliable logging. audisp is going
to be best effort at this point. For example, if you use remote logging
should the machine stop if the network goes down? Should it queue them and
transfer when the network is up? What if the queue fills to capacity? If the
remote logger's disk is full, should all machines on the network go to admin
mode? That'll be a bummer. I don't think we want to face all these issues and
claim 100% guarantee at this point.
-Steve
More information about the Linux-audit
mailing list