On 2021-03-16 18:25, Alan Evangelista wrote: > I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to > test the backlog, but it seems it's not working at all.
> First I turned auditd off so that events are not consumed: > # service stop auditd > > Then I make sure that the backlog size is greater than 0: > # auditctl -s > enabled 1 > failure 1 > pid 0 > backlog_limit 8192 > lost 0 > backlog 0 This is a bit of a long shot, and I note the "enabled 1" while "pid 0" above, but have you got "audit=1" in the kernel boot parameters? If not, what happens if you add it? - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
