I'm hoping that someone has hit this issue before, and possibly solved it. I've set up a number of servers in my environment to forward all audit log entries via audispd and rsyslog to a central rsyslog receiver, where they are parsed and saved. All that is working (audit is sent with LOG_LOCAL6 in audispd syslog plugin, "local6.* @@loghost:514" is in rsyslog.conf).
The problem/question I have is whether it is possible to turn off rate-limiting for rsyslog *only for audit traffic*. Leaving aside that I need to tune the audit rules better, on heavily loaded servers the rsyslogd starts dropping most of the audit traffic due to the rate-limiting parameters. I know I can turn it off (or set it much higher) for all rsyslog, but is there any way to selectively set the rate limit by either source (audispd) or facility (local6)? I hope that the answer will not involve using rsyslog v8, because I'm stuck with the RHEL7-provided v7.4.7. Any assistance/suggestions/leads are appreciated. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
