Trying to make changes to the size of the events buffer in prelude-ids auditd plugin
Posted
by tharris
on Server Fault
See other posts from Server Fault
or by tharris
Published on 2010-05-10T15:21:58Z
Indexed on
2010/05/10
15:25 UTC
Read the original article
Hit count: 286
I am running systems using the prelude-ids plugin for auditd. When the manager is up every thing works fine however I have a requirement that when the clients can't talk to the manager they should store no more than 250MB of messages, and when they hit that point they should start deleting the oldest events. All I can find is that audispd can be set to an overflow action of ignore,syslog,suspend,single, and halt none of which meet my requirement, and several of which I really cannot use. Does anyone know a way to do this? I know the events get stored in /var/spool/prelude/auditd/global, but I can't find anything about configuring how things are stored here. There are usually several files in the global directory but only 2 of them ever go above 0 in size, data0 and data0.journal.
© Server Fault or respective owner