All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: unlimit retries for remote plugin restart
Date: Thu, 12 Apr 2018 10:32:17 -0400	[thread overview]
Message-ID: <10732064.lyPTfpF90X@x2> (raw)
In-Reply-To: <8553ac31-e5b2-b389-b45e-6a8b856e4a58@basealt.ru>

On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
> Hello All!
> 
> 
> I have a question.

So do I. :-)

Which version of the audit package are you using? There were some logging 
robustness updates in the 2.8 series.

> Let's assume we have client's audit service and audit gatherer placed on
> a remote host.
> 
> Using au-remote plugin client sends logs to remote.
> 
> 
> Let's stop (do not start then) remote's audit service and restart
> client's one.

So, if I understand this scenario, you are starting the client side while the 
server is down?

> After that overcome max_restarts limit (e.g. default 10) from
> /etc/audisp/audispd.conf by audit's events.
> 
> Then start remote's audit service and trigger any audit event on client.
> But audisp-remote process is dead ("plugin /sbin/audisp-remote has
> exceeded max_restarts").
> 
> How can i solve this issue without client's audit service
> restart?

Typically, you need to send SIGUSR2 to audisp-remote.

> Is it possible by any settings/configs?
> 
> Any help would be appreciated.

I'll look into it, but please if you could let me know the answer to the 
above 2 questions.

-Steve

  reply	other threads:[~2018-04-12 14:32 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-12  6:13 unlimit retries for remote plugin restart Levin Stanislav
2018-04-12 14:32 ` Steve Grubb [this message]
2018-06-20 17:55 ` Steve Grubb
2018-06-26 13:19   ` Levin Stanislav

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=10732064.lyPTfpF90X@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.