Hello. This website has helped quite a lot over the years, and I finally decided to bring a question here.

I have a linux server that is sending audits to the audisp daemon, which is then forwarding them to my remote SysLog server. This all works perfectly, with each and every event (That I ask for)being recorded on both the server and the local audit.log file. Unfortunately, the queue file seems to not purge itself, and so starts to overflow and report things.
I get this message repeated frequently in my logs:
"audispd: queue is full - dropping event"
If I clear out the queue file, everything works great. It seems that the only thing not working properly is that the queue file is not purging things...it is just saving items, never recognizing they are being sent to the remote server.

Any ideas? I have seen several things on google about people with smilar errors, but they all have to do with excessive traffic/latency issues. In my situation, everything is working fine except the queue file.

(SE Linux is disabled)

Thank you for any help!

What is "frequently"? Once per hour? Every time /etc/cron.daily runs?
What's your systems load?
Is your qos setting "lossless"? Did you change the priority boost? What's the length of the internal audispd queue? (In short 'grep -v ^# audisp*conf|grep .;')
Are any SELinux AVCs logged at the same time?
Do you run a large set of Audit rules?

I only get messages when a system config is changed, users log in/out, configs are changed, etc. Under normal use, i may not see more then a mssage or 2 in 10 minutes.

When an event occurs (I su - ) in the same second I get about 10 messages in the log:
audispd: queue is full - dropping event
audispd: queue is full - dropping event
audispd: queue is full - dropping event
audispd: queue is full - dropping event
audispd: queue is full - dropping event
User su- root
audispd: queue is full - dropping event
audispd: queue is full - dropping event
audispd: queue is full - dropping event
audispd: queue is full - dropping event


If I empty the queue and do the same thing, I just get
User su- root


SE Linux is disabled.

QOS Settings -- dont know. I can find out.

System load: barely anything. It is a small NFS server -- total overkill.

Priority changed to 8

Changed queue length from 80 to 1024 to see if it fixed anything.

Well? Did it?

Oh , it didn't.That was one of the first things I tried. It just made the queue take longer to fill up

The "queue is full" messages seem to indicate audispd can't keep up and it's not a case of "purging" the queue (but what do I know). As I'm unsure which settings you're currently using, you said you already increased the queue length, I'd lower audispd priority down to zero. If still problematic you could lower it further as it should take negative numbers. If that doesn't resolve things I'd start a Bugzilla ticket.

Ok, so I am moving forward on this a little more, and have managed to become confused.
We can discard the priority idea....the queue full is due to something missing a connection. I am not logging audits here like i thought i was, only syslog items.


To send audit log files remotely, it requires 3 pieces:
auditd <----takes the actual audits
audidp-remote
rsyslog

How are these 2 different? There is a ton of talk of these, but I cant even find my original example.

I am trying to get my head around the order of events here.
auditd message -> /var/log/audit/audit.log (i know this works)
From there (simultaniously?), it it put in /var/spool/remote.log
Here, I am not sure how it winds up in this remote.log -- I see no source pushing it here! Only that it magically winds up in the queue file. The queue file DOES update properly -- audits such as deleting a file show up just as I want. But, they never move past this file.


How do rsyslog and audisp-conf interact?
Which one actually sends to a remote server?
Everything may be working fine, but my logging server may only accept UDP, and audisp-remote only uses TCP. How can i get past this, if needed?

I would really appreciate some comments here. I am very confused. There is a lot of documentation I can find on needing to use rsyslog and audisp-remote, but Im not seeing complete examples.

Thank you!

Ok, this is a kerfuffle.

rsyslog pushes logs to the remote server flawlessly.
Our logging appliance only accepts UDP, it seems. (LogLogic -- shame on you)
audisp-remote only transmits in TCP. No way i could find to make it transmit in UDP.

I could not find a way to directly push audits to syslog....there are a TON of google results for this, but no actual examples.
I finally gave up, and tried another approach:
Set up rsyslog to both listen and transmit.
auditd -> audisp-remote -> send all audits back to itself (local IP) -> rsyslog picks these up, and forwards them to the remote server.
Its messy. Ugly. And a triangle. But it seems to be providing what i need for now.

You mean setting "transport = udp" in udisp-remote.conf doesn't work?


Rsyslog is able to read files so you could "$InputFileName /var/log/audit/audit.log"?

I did not realize that about monitoring a file w/ rsyslog. When I get a spare server, I will experiment with that.
Thank you very much for your comments on this issue.


And transport=udp is not an option. Only SSH or TCP

In your previous post you said "No way i could find to make it transmit in UDP" meaning that you could not make it work. "Can not make it work" has a different meaning than "not want" or "not an option". If you want to convey something is not an option then do write "not an option" as that would keep your fellow LQ members from having to write about it.

Other than that you're welcome.