kauditd is writing too many lines in syslog
Richard Guy Briggs
rgb at redhat.com
Mon Jan 20 17:36:27 UTC 2014
On 14/01/20, Aaron Lewis wrote:
> Hi,
>
> I'm not sure if this is the default behavior,
>
> I'm using audit 2.3.2, and I've configured auditd not to log anything
> (NOLOG option), and I set the queue buffer to 10240 messages.
I assume this is because you are using remote logging or using the
dispatcher?
> When the buffer is full or auditd is suddenly killed or for some other
> reason, it seems to write a lot of things to dmesg or
> /var/log/messages
This is by design.
> So, did kauditd wrote all these? I already killed auditd process but I
> can still see logs piling up.
If auditd has ever run, kaudit will continue to try delivering messages.
> Can I ask kauditd not print anything if user space program cannot
> handle that much message?
Sure, on the kernel boot line you can set audit=0 to disable kaudit, or
you can tell the init system to not start auditd.
> Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list