I am running systems using the prelude-ids plugin for auditd. When the manager is up every thing works fine however I have a requirement that when the clients can't talk to the manager they should store no more than 250MB of messages, and when they hit that point they should start deleting the oldest events. All I can find is that audispd can be set to an overflow action of ignore,syslog,suspend,single, and halt none of which meet my requirement, and several of which I really cannot use. Does anyone know a way to do this? I know the events get stored in /var/spool/prelude/auditd/global, but I can't find anything about configuring how things are stored here. There are usually several files in the global directory but only 2 of them ever go above 0 in size, data0 and data0.journal.