* unlimit retries for remote plugin restart
@ 2018-04-12 6:13 Levin Stanislav
2018-04-12 14:32 ` Steve Grubb
2018-06-20 17:55 ` Steve Grubb
0 siblings, 2 replies; 4+ messages in thread
From: Levin Stanislav @ 2018-04-12 6:13 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1.1: Type: text/plain, Size: 739 bytes --]
Hello All!
I have a question.
Let's assume we have client's audit service and audit gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?
Any help would be appreciated.
Thank you in advance.
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: unlimit retries for remote plugin restart
2018-04-12 6:13 unlimit retries for remote plugin restart Levin Stanislav
@ 2018-04-12 14:32 ` Steve Grubb
2018-06-20 17:55 ` Steve Grubb
1 sibling, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2018-04-12 14:32 UTC (permalink / raw)
To: linux-audit
On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
> Hello All!
>
>
> I have a question.
So do I. :-)
Which version of the audit package are you using? There were some logging
robustness updates in the 2.8 series.
> Let's assume we have client's audit service and audit gatherer placed on
> a remote host.
>
> Using au-remote plugin client sends logs to remote.
>
>
> Let's stop (do not start then) remote's audit service and restart
> client's one.
So, if I understand this scenario, you are starting the client side while the
server is down?
> After that overcome max_restarts limit (e.g. default 10) from
> /etc/audisp/audispd.conf by audit's events.
>
> Then start remote's audit service and trigger any audit event on client.
> But audisp-remote process is dead ("plugin /sbin/audisp-remote has
> exceeded max_restarts").
>
> How can i solve this issue without client's audit service
> restart?
Typically, you need to send SIGUSR2 to audisp-remote.
> Is it possible by any settings/configs?
>
> Any help would be appreciated.
I'll look into it, but please if you could let me know the answer to the
above 2 questions.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: unlimit retries for remote plugin restart
2018-04-12 6:13 unlimit retries for remote plugin restart Levin Stanislav
2018-04-12 14:32 ` Steve Grubb
@ 2018-06-20 17:55 ` Steve Grubb
2018-06-26 13:19 ` Levin Stanislav
1 sibling, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2018-06-20 17:55 UTC (permalink / raw)
To: linux-audit
On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
> Let's assume we have client's audit service and audit gatherer placed on
> a remote host.
>
> Using au-remote plugin client sends logs to remote.
>
> Let's stop (do not start then) remote's audit service and restart
> client's one.
>
> After that overcome max_restarts limit (e.g. default 10) from
> /etc/audisp/audispd.conf by audit's events.
>
> Then start remote's audit service and trigger any audit event on client.
> But audisp-remote process is dead ("plugin /sbin/audisp-remote has
> exceeded max_restarts").
>
> How can i solve this issue without client's audit service
> restart? Is it possible by any settings/configs?
Please give audit-2.8.4 a shot. It should solve this problem.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: unlimit retries for remote plugin restart
2018-06-20 17:55 ` Steve Grubb
@ 2018-06-26 13:19 ` Levin Stanislav
0 siblings, 0 replies; 4+ messages in thread
From: Levin Stanislav @ 2018-06-26 13:19 UTC (permalink / raw)
To: Steve Grubb, linux-audit
[-- Attachment #1.1.1: Type: text/plain, Size: 973 bytes --]
Hello, Steve!
The solution is verified! There is no problem.
Thank you so much!
Good luck!
20.06.2018 20:55, Steve Grubb пишет:
> On Thursday, April 12, 2018 2:13:39 AM EDT Levin Stanislav wrote:
>> Let's assume we have client's audit service and audit gatherer placed on
>> a remote host.
>>
>> Using au-remote plugin client sends logs to remote.
>>
>> Let's stop (do not start then) remote's audit service and restart
>> client's one.
>>
>> After that overcome max_restarts limit (e.g. default 10) from
>> /etc/audisp/audispd.conf by audit's events.
>>
>> Then start remote's audit service and trigger any audit event on client.
>> But audisp-remote process is dead ("plugin /sbin/audisp-remote has
>> exceeded max_restarts").
>>
>> How can i solve this issue without client's audit service
>> restart? Is it possible by any settings/configs?
> Please give audit-2.8.4 a shot. It should solve this problem.
>
> -Steve
>
>
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-06-26 13:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-12 6:13 unlimit retries for remote plugin restart Levin Stanislav
2018-04-12 14:32 ` Steve Grubb
2018-06-20 17:55 ` Steve Grubb
2018-06-26 13:19 ` Levin Stanislav
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.