Good news: When I set the space_left_action to syslog and crossed the boundary, I got a syslog message on the next audit event. Subsequent events did not generate any further syslog messages.
Then I freed up disk space, sent in a few events for good measure (thinking it would reset the flag) and once again filled the disk past the threshold. Bad news: I didn't get the message again. Should this behavior have happened as I expected and another log message get into the messages log? Or as coded would the auditd need restart? Thx, LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
