On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote: > Hello All! > > > I have a question.
So do I. :-) Which version of the audit package are you using? There were some logging robustness updates in the 2.8 series. > Let's assume we have client's audit service and audit gatherer placed on > a remote host. > > Using au-remote plugin client sends logs to remote. > > > Let's stop (do not start then) remote's audit service and restart > client's one. So, if I understand this scenario, you are starting the client side while the server is down? > After that overcome max_restarts limit (e.g. default 10) from > /etc/audisp/audispd.conf by audit's events. > > Then start remote's audit service and trigger any audit event on client. > But audisp-remote process is dead ("plugin /sbin/audisp-remote has > exceeded max_restarts"). > > How can i solve this issue without client's audit service > restart? Typically, you need to send SIGUSR2 to audisp-remote. > Is it possible by any settings/configs? > > Any help would be appreciated. I'll look into it, but please if you could let me know the answer to the above 2 questions. -Steve -- Linux-audit mailing list Linuxemail@example.com https://www.redhat.com/mailman/listinfo/linux-audit