Since we're new to auditd, there's no old utilities so far that we're using, so I don't see a problem there. I think.
On Wed, Jul 13, 2016 at 11:38 AM, Steve Grubb <[email protected]> wrote: > On Wednesday, July 13, 2016 10:51:07 AM EDT Chris Nandor wrote: > > The only reason I am even upgrading is because of the issues with > > audisp-remote, the not-reconnecting, and the apparent client-side > > buffering, that went away with 2.4.x and 2.6.x. So if we decide to ship > > logs a different way than with audisp-remote, then it might be best to > > stick with 1.7.x. > > This sounds a lot like the idle detection is not set right. In audisp- > remote.conf there is a setting heartbeat_timeout. This should be set to > something like 60 or 120. Then on the server in auditd.conf there is a > setting > tcp_client_max_idle which should be over twice as high as > heartbeat_timeout. > So, you'd set it to 180 or 300. > > > That said, so far I see no issues, so we're going to forge ahead and see > > what happens. I just need to keep in mind what our mitigation plan would > > be if we do run into issues. > > Old utilities won't know what to do with enriched events. AFAICS, that > would > be the long term issue. You'll need to do aperl, awk, or cut command to > trim > off the unknown part of the event in your logs. > > -Steve >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
