On 14/01/20, Aaron Lewis wrote: > Hi, > > I'm not sure if this is the default behavior, > > I'm using audit 2.3.2, and I've configured auditd not to log anything > (NOLOG option), and I set the queue buffer to 10240 messages.
I assume this is because you are using remote logging or using the dispatcher? > When the buffer is full or auditd is suddenly killed or for some other > reason, it seems to write a lot of things to dmesg or > /var/log/messages This is by design. > So, did kauditd wrote all these? I already killed auditd process but I > can still see logs piling up. If auditd has ever run, kaudit will continue to try delivering messages. > Can I ask kauditd not print anything if user space program cannot > handle that much message? Sure, on the kernel boot line you can set audit=0 to disable kaudit, or you can tell the init system to not start auditd. > Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
