I'm running audit 1.7.17-3 (RHEL 5) on ~450 clients sending via audisp to a single server. This is mostly working well, except that periodically, I get messages like:
Jan 4 07:57:33 hostfoo audispd: queue is full - dropping event Jan 4 07:58:04 hostfoo last message repeated 814 times Jan 4 07:59:05 hostfoo last message repeated 4121 times Jan 4 08:00:06 hostfoo last message repeated 2602 times Jan 4 08:00:31 hostfoo last message repeated 773 times Reading through the man pages, I've increased the q_depth value in audispd.conf. But even with it set at 99999 (the maximum), many events are still being dropped from almost half the clients. Setting disp_qos to "lossless" in auditd.conf has also not helped. It would be nice to solve this in general. More specifically, however, I know that on the worst offender, the flood of events is being caused by an rsync job that runs at 8 and 12. The events look something like: node=hostfoo.domain.com type=SYSCALL msg=audit(1294232521.544:29609884): arch=c000003e syscall=90 success=yes exit=0 a0=7fffbe5a7f60 a1=1ed a2=1 a3=0 items=1 ppid=4397 pid=4398 auid=4990 uid=4990 gid=100 euid=4990 suid=4990 fsuid=4990 egid=100 sgid=100 fsgid=100 tty=(none) ses=2867 comm="rsync" exe="/home/bob/.toast/pkg/rsync/v3.0.4/1/root/bin/rsync" key="perm_mod" Is there any way I can tell the perm_mod rules in audit.rules "Don't tell me about it if the command is rsync"? I couldn't find an obvious answer from the auditctl man page (it doesn't seem that I can just specify, say, comm!=rsync). Thanks, --Ray -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
