> Sep 15 11:48:14 comms audispd: queue is full - dropping event > > I assume this indicates the problem - sending isn't happening so the > audispd queue fills.
Yes, this means nothing is getting across the network. Have you tried running tcpdump on the client side? Or running gdb on the running audisp-remote to see where it's stuck. > I'd have expected an audisp syslog error though. I do log all the errors I could detect, so I don't know what's happening here. Those syslog errors are likely from audisp itself, not the remote plugin. It would help if you could try it between two 32 bit hosts. At least that would remove the "int size bug" possibility. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
