Hi Guys, Yes just like what Steve says.
I use a dispatcher to handle all logs, and rather discard them all if the dispatcher can't handle it. And no, the dispatcher is a perl program runs locally, not remote logging. (I replaced the 'dispatcher=' line in auditd.conf) On Tue, Jan 21, 2014 at 2:24 AM, Richard Guy Briggs <[email protected]> wrote: > On 14/01/20, Steve Grubb wrote: >> On Mon, 20 Jan 2014 12:36:27 -0500 >> Richard Guy Briggs <[email protected]> wrote: >> >> > > Can I ask kauditd not print anything if user space program cannot >> > > handle that much message? >> > >> > Sure, on the kernel boot line you can set audit=0 to disable kaudit, >> > or you can tell the init system to not start auditd. >> >> what if someone never wants events to go to syslog? > > Then we need to add a new feature to kaudit to stop them. > > This also begs the question of what happens to AUDIT_USER_AVC > messages... This patchwork is messy. > >> -Steve > > - RGB > > -- > Richard Guy Briggs <[email protected]> > Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, > Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Best Regards, Aaron Lewis - PGP: 0x13714D33 - http://pgp.mit.edu/ Finger Print: 9F67 391B B770 8FF6 99DC D92D 87F6 2602 1371 4D33 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
