On Thu, 2008-08-14 at 20:07 -0400, Steve Grubb wrote: > On Thursday 14 August 2008 19:50:23 LC Bruzenak wrote: > > I cannot speak for other end-users...but my guess is that if they are > > using audit and aggregating they probably care about not dropping it, > > whereas others can just syslog the events if the auditd isn't enabled > > and then use centralized syslog, right? > > Does syslog queue unsent messages and recover them? > > -Steve
Not AFAIK...but then again it isn't configurable to panic the machine on failure. I think you have a good point - this is the first cut and maybe later on institute a "replay daemon" or something which can send events on reconnect. We will not lose them locally so that's covered. After that it is a different problem. Thx, LCB. -- LC (Lenny) Bruzenak [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
