[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit pipe full



On Friday 09 March 2007 15:20, Ameel Kamboh wrote:
> Does this mean the dispatcher is now turned of or I just loose those
> events.

No. You need to look in /etc/audit/auditd.conf to see what your disp_qos 
setting is. The options are lossy and blocking.

> Currently I am not seeing any events in SNARE and trying to trouble
> shoot where the issue is.

There is a sample program: /usr/share/doc/audit-1.3.1/skeleton.c that is an 
event dispatcher, too. You can build and install it. It sends events to 
syslog. If that works then the problem is the snare piece. If that program 
fails, let me know.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]