On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
> Hello All!
> 
> 
> I have a question.

So do I. :-)

Which version of the audit package are you using? There were some logging 
robustness updates in the 2.8 series.

> Let's assume we have client's audit service and audit gatherer placed on
> a remote host.
> 
> Using au-remote plugin client sends logs to remote.
> 
> 
> Let's stop (do not start then) remote's audit service and restart
> client's one.

So, if I understand this scenario, you are starting the client side while the 
server is down?

> After that overcome max_restarts limit (e.g. default 10) from
> /etc/audisp/audispd.conf by audit's events.
> 
> Then start remote's audit service and trigger any audit event on client.
> But audisp-remote process is dead ("plugin /sbin/audisp-remote has
> exceeded max_restarts").
> 
> How can i solve this issue without client's audit service
> restart?

Typically, you need to send SIGUSR2 to audisp-remote.

> Is it possible by any settings/configs?
> 
> Any help would be appreciated.

I'll look into it, but please if you could let me know the answer to the 
above 2 questions.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to