On Thursday 19 February 2009 04:30:10 pm Smith, Gary R wrote: > When the setting for the output log format is set to "NOLOG" (log_format > = NOLOG in auditd.conf) it appears that audit events are getting stacked > up in the internal message queue (audit_reply_list) and are not removed > from the stack after being written to the audit dispatcher daemon. The > result is the stack grows without end. > > I have the following potential fix for audit version 1.7.11:
OK, I had a chance to look into this problem. The big clue was that its only happening when NOLOG is given. The patch that was sent does fix the problem, but it doesn't allow reconfigure (sighup) and on-demand log rotation (sigusr1) to work either. What I believe is the correct fix was put into svn as commit 252. https://fedorahosted.org/audit/changeset/252 Thanks for the troubleshooting. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
