From: Richard Guy Briggs <rgb@redhat.com>
To: Alan Evangelista <alan.vitor@gmail.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: Backlog not working with kernel 3.10
Date: Wed, 17 Mar 2021 21:16:47 -0400 [thread overview]
Message-ID: <20210318011647.GA2781019@madcap2.tricolour.ca> (raw)
In-Reply-To: <CAKz+TUuPtycbqY37L3SJMsdJXw=3jW3_7fnSn0oJeP4QCV2TtQ@mail.gmail.com>
On 2021-03-16 18:25, Alan Evangelista wrote:
> I'm using CentOS7 with kernel 3.10.0-1160.15.2.el7.x86_64 and trying to
> test the backlog, but it seems it's not working at all.
> First I turned auditd off so that events are not consumed:
> # service stop auditd
>
> Then I make sure that the backlog size is greater than 0:
> # auditctl -s
> enabled 1
> failure 1
> pid 0
> backlog_limit 8192
> lost 0
> backlog 0
This is a bit of a long shot, and I note the "enabled 1" while "pid 0"
above, but have you got "audit=1" in the kernel boot parameters? If
not, what happens if you add it?
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2021-03-18 1:17 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-16 21:25 Backlog not working with kernel 3.10 Alan Evangelista
2021-03-16 21:58 ` Paul Moore
2021-03-17 8:40 ` Alan Evangelista
2021-03-17 19:46 ` Paul Moore
2021-03-17 1:46 ` Richard Guy Briggs
[not found] ` <CAKz+TUsv2p3RM-Em=w3fcMP8ANQZt-H=NOMAxudGhNgjDWLRrw@mail.gmail.com>
2021-03-17 8:36 ` Fwd: " Alan Evangelista
2021-03-17 14:32 ` Lenny Bruzenak
2021-03-17 16:06 ` Richard Guy Briggs
2021-03-17 16:03 ` Richard Guy Briggs
2021-03-17 20:56 ` Alan Evangelista
2021-03-18 1:16 ` Richard Guy Briggs [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210318011647.GA2781019@madcap2.tricolour.ca \
--to=rgb@redhat.com \
--cc=alan.vitor@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).