ausearch produces a Warning

ausearch produces a Warning

[Warron S French]

[-- Attachment #1.1: Type: text/plain, Size: 1666 bytes --]

Hello all,
                I have audit logging working exactly as I want it now (thanks to you all), but when running ausearch on various systems (not all, which tells me something isn't consistent) I get a warning:

Warning - freq is non-zero and incremental flushing not selected.

I saw on the internet a post that (involved you Steve Grubb) in reply to someone else from Date: Fri, 19 May 2006 15:01:37 -0400

Here is the part of the thread where you replied Steve:

  *   From: Steve Grubb <sgrubb redhat com>
  *   To: Linda Knippers <linda knippers hp com>
  *   Cc: linux-audit redhat com
  *   Subject: Re: Double addition of rule yields two log messages
  *   Date: Fri, 19 May 2006 15:01:37 -0400

________________________________
On Friday 19 May 2006 14:47, Linda Knippers wrote:
> But why does ausearch care?

Ausearch doesn't care about this particular setting. Its looking at the config
to find the log files. The parser is what cares and it is what emitted this
warning. As such, you can use ausearch to make sure your config is sane
before sending sighup to reconfigure the audit daemon.

> Seems like if anything cared it would be the auditd but I can't find an
> error or warning from it anywhere.

Should be in the syslog.

-Steve


The question I have is, even this says "Warning" does it mean there is something I really need to be intensely looking into to prevent issues to come?

I do not fully understand the impact of what the flush parameter.  I am also trying to comply with a STIG as well; I think that's what has caused this message to be presented.




Thank you,

Warron French, MBA, SCSA

[-- Attachment #1.2: Type: text/html, Size: 12625 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: ausearch produces a Warning

[Steve Grubb]

On Thu, 12 May 2016 19:14:35 +0000
Warron S French <warron.s.french@aero.org> wrote:

> Hello all,
>                 I have audit logging working exactly as I want it now
> (thanks to you all), but when running ausearch on various systems
> (not all, which tells me something isn't consistent) I get a warning:
> 
> Warning - freq is non-zero and incremental flushing not selected.
 
<snip> 
 
> The question I have is, even this says "Warning" does it mean there
> is something I really need to be intensely looking into to prevent
> issues to come?

ausearch/report/auditd all share the same config file parser code. This
warning is actually not important for ausearch/report, but is
meaningful for auditd. What this means is that you have incremental
flushing halfway setup. Meaning that the value is non-zero as if you
intended to flush periodically, but you don't actually have incremental
selected as the flushing technique. The fix is to either select
incremental as the flushing technique or set freq to 0 so that its
consistent with the flush technique.

The reason that you would want to use incremental flushing is for
performance. I'd recommend 100 or 200 for the freq setting on a busy or
aggregating server. I'd recommend 50 for everyone else.


> I do not fully understand the impact of what the flush parameter.  I
> am also trying to comply with a STIG as well; I think that's what has
> caused this message to be presented.

It means you may not be getting the logging performance that you
intended.

-Steve

RE: ausearch produces a Warning

[Warron S French]

Thank you for the education and the guidance Steve.


It is greatly appreciated,

Warron French, MBA, SCSA

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, May 12, 2016 9:33 PM
To: Warron S French <warron.s.french@aero.org>
Cc: linux-audit@redhat.com
Subject: Re: ausearch produces a Warning

On Thu, 12 May 2016 19:14:35 +0000
Warron S French <warron.s.french@aero.org> wrote:

> Hello all,
>                 I have audit logging working exactly as I want it now 
> (thanks to you all), but when running ausearch on various systems (not 
> all, which tells me something isn't consistent) I get a warning:
> 
> Warning - freq is non-zero and incremental flushing not selected.
 
<snip> 
 
> The question I have is, even this says "Warning" does it mean there is 
> something I really need to be intensely looking into to prevent issues 
> to come?

ausearch/report/auditd all share the same config file parser code. This warning is actually not important for ausearch/report, but is meaningful for auditd. What this means is that you have incremental flushing halfway setup. Meaning that the value is non-zero as if you intended to flush periodically, but you don't actually have incremental selected as the flushing technique. The fix is to either select incremental as the flushing technique or set freq to 0 so that its consistent with the flush technique.

The reason that you would want to use incremental flushing is for performance. I'd recommend 100 or 200 for the freq setting on a busy or aggregating server. I'd recommend 50 for everyone else.


> I do not fully understand the impact of what the flush parameter.  I 
> am also trying to comply with a STIG as well; I think that's what has 
> caused this message to be presented.

It means you may not be getting the logging performance that you intended.

-Steve