On Tue, Nov 17, 2009 at 9:52 PM, LC Bruzenak <[email protected]> wrote: > On Tue, Nov 17, 2009 at 3:48 PM, Steve Grubb <[email protected]> wrote: >> On Monday 16 November 2009 06:52:24 pm LC Bruzenak wrote: >>> > You should have daemon start/end events at the aggregator. Are they not >>> > getting there? Also, the aggregator should have matching >>> > connect/disconnect events. >>> >>> I am not getting the DAEMON_END events. In an orderly shutdown, the >>> network shuts down before the audit daemon does. >> >> OK, I'll take a look to see if things can be reordered to let this event get >> sent. >> >> -Steve >> > > Thanks, that would help in the case where the client shuts down normally. > There is definitely utility in having a positive event come from the > sender saying it is shutting down. > > But if the client gets the power cord yanked out it doesn't help me, > so I'll still try to add something on the server side to add a local > audit event as well as the syslog. >
OK, I see it appears it would work as expected. I see that the "close_client" gets called on a client timeout, and it does send a AUDIT_DAEMON_CLOSE event. I will test that ASAP. I assume a client which just drops off would hit this case. Thx! LCB. -- LC (Lenny) Bruzenak -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
