On Mon, Feb 6, 2017 at 8:12 PM, Chris Nandor <[email protected]> wrote: > If I restart auditd, can it lose (not record to the logs) events that happen > during the restart? Or is the restart (and reload of new rules) essentially > atomic?
The kernel maintains a backlog queue of audit records when auditd is not running and attempts to (re)send those records when auditd is started. However, the backlog queue size is fixed and it is possible to overflow the queue; if that happens a message will be sent to the kernel's ring buffer (dmesg). -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
