On 13/12/26, Aaron Lewis wrote: > Hi, > > I'm doing a stress test on auditd, so I add a rule to monitor "open" > syscall, then I use a c program to generate massive amount of logs. > The program finished and exited. > > But I generated too much, if I kill auditd and start it again, I can > still see a lot of type=SYSCALL logs. (But not CWD or PATH) > > Can I clear the existing buffer?
Did you remove the rule that caused the massive amount of logging? Auditd will drain that buffer. The default is a queue of 64 messages, which should drain reasonably quickly if the rule has been removed and the queue length hasn't been overridden to a huge value. Otherwise, there is no other way to drain that buffer. > Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
