On Wednesday 31 March 2010 03:48:35 pm Steve Grubb wrote: > > I am losing events when using the dispatcher mode. (ex: there are 100 > > events to be received, I receive just 70) > > Is there anything in syslog from auditd? What is your priority boost in > auditd.conf and audispd.conf?
Wait, you are writing a dispatcher...are you boosting your priority above auditd? If not, you should probably increase it by at least 4. Your dispatcher has to stay ahead of auditd. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
