[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: buffer space



On Thursday 13 August 2009 10:56:50 am David Flatley wrote:
>   Red Hat 5.3 running audit 1.7.7-6
> Rotating logs at 20 megs and allowing 8 logs
> Rules have watches and syscalls from the SECSCAN recommendations, and have
> added some of Steve Grubb's recommendations.

I would be curious what the SECSCAN recommendations are. Never heard of it...


> When we extract and archive the audit logs we get "Error receiving audit
> netlink packet (No buffer space available) an "error sending signal info
> request"
> Our extract is: stop auditd then create a file and run ausearch -i > file
> then run an aureport -i > file then once that is done we delete all the
> logs and restart auditd.

I think this is your problem. If you have audit rules loaded and stop auditd, 
then audit events are going to pile up in the queue waiting for auditd to 
download them. At some point the kernel will decide auditd doesn't exist and 
will dump all events to syslog. This probably is not what you want either.

I would recommend calling "service auditd rotate" and then grab logs 
audit.log.1 -> audit.logs.7 and move them away to another directory for post  
processing the contents.

You may also want to check you backlog size settings too.


> If I run this manually it works fine but if I have it running it in a cron
> we get Kernel panics, lockups and log data loss plus the buffer messages.

Shouldn't really make a difference.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]