Trying to make changes to the size of the events buffer in prelude-ids auditd plugin

Posted by tharris on Server Fault See other posts from Server Fault or by tharris
Published on 2010-05-10T15:21:58Z Indexed on 2010/05/10 15:25 UTC
Read the original article Hit count: 286

Filed under:
|
|
|

I am running systems using the prelude-ids plugin for auditd. When the manager is up every thing works fine however I have a requirement that when the clients can't talk to the manager they should store no more than 250MB of messages, and when they hit that point they should start deleting the oldest events. All I can find is that audispd can be set to an overflow action of ignore,syslog,suspend,single, and halt none of which meet my requirement, and several of which I really cannot use. Does anyone know a way to do this? I know the events get stored in /var/spool/prelude/auditd/global, but I can't find anything about configuring how things are stored here. There are usually several files in the global directory but only 2 of them ever go above 0 in size, data0 and data0.journal.

© Server Fault or respective owner

Related posts about linux

Related posts about server