Hi Richard, Thanks for the quick reply.
Yes, I did run auditctl -D to clear all rules. And during testing I have enlarged the buffer queue to 10240 messages. Did you mean that once -D is issued, the buffer will be cleared by auditd, but not by linux kernel? On Tue, Jan 14, 2014 at 3:24 AM, Richard Guy Briggs <[email protected]> wrote: > On 13/12/26, Aaron Lewis wrote: >> Hi, >> >> I'm doing a stress test on auditd, so I add a rule to monitor "open" >> syscall, then I use a c program to generate massive amount of logs. >> The program finished and exited. >> >> But I generated too much, if I kill auditd and start it again, I can >> still see a lot of type=SYSCALL logs. (But not CWD or PATH) >> >> Can I clear the existing buffer? > > Did you remove the rule that caused the massive amount of logging? > > Auditd will drain that buffer. The default is a queue of 64 messages, > which should drain reasonably quickly if the rule has been removed and > the queue length hasn't been overridden to a huge value. Otherwise, > there is no other way to drain that buffer. > >> Aaron Lewis - PGP: 0xDFE6C29E ( http://keyserver.veridis.com ) > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
