On Thu, 2009-07-30 at 16:23 -0400, Steve Grubb wrote: > On Thursday 30 July 2009 04:13:54 pm LC Bruzenak wrote: > > Good news: When I set the space_left_action to syslog and crossed the > > boundary, I got a syslog message on the next audit event. Subsequent > > events did not generate any further syslog messages. > > > > Then I freed up disk space, sent in a few events for good measure > > (thinking it would reset the flag) and once again filled the disk past > > the threshold. > > Bad news: I didn't get the message again. > > Did you do a "service auditd resume" ? > > > Should this behavior have happened as I expected and another log message > > get into the messages log? Or as coded would the auditd need restart? > > You shouldn't need to restart it, but you should tell it to resume. > > -Steve
Thanks for the info Steve! I would think the manual resume option appropriate definitely for the "suspend" option...but not really the syslog. Is there a reason to not have it reset if the space is freed? So if eventually I need to patch this, would you: 1: accept a change? 2: also want another parameter like "autoresume_on_space_free = false" to preserve this behavior? Thanks, LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
