Problem with auditd/SnareLinux on RHEL 5.3 - auditd glomming memory
Steve Grubb
sgrubb at redhat.com
Thu Feb 19 21:54:40 UTC 2009
On Thursday 19 February 2009 04:30:10 pm Smith, Gary R wrote:
> When the setting for the output log format is set to "NOLOG" (log_format
> = NOLOG in auditd.conf) it appears that audit events are getting stacked
> up in the internal message queue (audit_reply_list) and are not removed
> from the stack after being written to the audit dispatcher daemon. The
> result is the stack grows without end.
>
> I have the following potential fix for audit version 1.7.11:
This looks like a really good hint at what's going on. I'll look into this
deeper and either apply this patch or address the same problem another way in
the next release.
Thanks,
-Steve
More information about the Linux-audit
mailing list