On 13/08/09 15:56, David Flatley wrote:
Red Hat 5.3 running audit 1.7.7-6 Rotating logs at 20 megs and allowing 8 logs Rules have watches and syscalls from the SECSCAN recommendations, and have added some of Steve Grubb's recommendations. When we extract and archive the audit logs we get "Error receiving audit netlink packet (No buffer space available) an "error sending signal info request"
Where do you get these messages? Are they in /var/log/messages?
Our extract is: stop auditd then create a file and run ausearch -i > file then run an aureport -i > file then once that is done we delete all the logs and restart auditd.
You don't want to be stopping auditd. I'd either look harder into the command line arguments to ausearch and aureport and combine ussage with 'service auditd rotate', or use a different collection mechanism.
Also, how are you stopping auditd? Are you using 'service auditd stop'? If so, you are losing data because it removes audit rules when it stops. If you are using somethine else like SIGSTOP, the kernel is sensitive to the audit daemon not being responsive. This is likely to cause problems.
Can you post the exact script you're using? Matt -- Matthew Booth, RHCA, RHCSS Red Hat Engineering, Virtualisation Team M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
