Clear kernel audit buffer?
Richard Guy Briggs
rgb at redhat.com
Mon Jan 13 19:24:38 UTC 2014
On 13/12/26, Aaron Lewis wrote:
> Hi,
>
> I'm doing a stress test on auditd, so I add a rule to monitor "open"
> syscall, then I use a c program to generate massive amount of logs.
> The program finished and exited.
>
> But I generated too much, if I kill auditd and start it again, I can
> still see a lot of type=SYSCALL logs. (But not CWD or PATH)
>
> Can I clear the existing buffer?
Did you remove the rule that caused the massive amount of logging?
Auditd will drain that buffer. The default is a queue of 64 messages,
which should drain reasonably quickly if the rule has been removed and
the queue length hasn't been overridden to a huge value. Otherwise,
there is no other way to drain that buffer.
> Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com )
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list