On Wednesday, April 3, 2024 10:20:55 AM EDT Christiansen, Ed - 0992 - MITLL wrote: > I have a need to do two things when a disk space limit is reached and I am > wondering if that can be accomplished. Notionally the auditd.conf syntax > would be something like: > > space_left_action = SYSLOG, email > admin_space_left_action = SYSLOG, email > > so I would get a SYSLOG event (which would trigger an alert on the audit > collector) and an email as well to maximize the chances of viewing the > alert in a timely manner. > > I didn't see anything in the documentation one way or the other, so there > any way to get this functionality out of auditd?
The man page says: Email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. For other actions, it generally logs in addition to doing what it was told to. [1] -Steve 1 - https://github.com/linux-audit/audit-userspace/blob/master/src/auditd-event.c#L840 _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
