I've been having a few issues lately with auditd. I'm running the version packaged with RHEL5 (1.7.17), with one machine collecting logs for a few hundred others using audisp.
I had been using logrotate to rotate the logs (in order to get them named with a date extension, bzipped a day after being rotated, etc.) I thought that restarting the daemons each night might be causing issues with many clients trying to reconnect at once, so I tried using copytruncate in order to avoid restarting. This appears to make auditd crash, so I'm looking at using its built-in rotation. However, "service auditd rotate" does not do anything. The man page says this "will consult the max_log_size_action to see if it should keep the logs or not", but I'm not sure what that means; there is "max_log_file_action", which I have set to "ignore" as the FAQ specifies. I'm also having separate issues with some clients disconnecting from the server, retrying twice in about a 40 second interval, and then giving up. The server isn't going down, and this isn't even happening at the same time I was restarting auditd. I would really like the clients to make more of an effort at reconnecting. I have the configuration options set like so on the clients, but maybe I'm misunderstanding what they do: network_retry_time = 30 max_tries_per_record = 60 max_time_per_record = 5 ... remote_ending_action = reconnect Finally, if anyone has any recommendations for setting tcp_listen_queue on the server (I'm not sure if this is supposed to indicate a number of audit messages or clients) and queue_depth on the clients when using a few hundred clients, that would be great. Thanks for any assistance, --Ray -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
