Discussion:
unlimit retries for remote plugin restart
Levin Stanislav
2018-04-12 06:13:39 UTC
Permalink
Hello All!


I have a question.


Let's assume we have client's audit service and audit gatherer placed on
a remote host.

Using au-remote plugin client sends logs to remote.


Let's stop (do not start then) remote's audit service and restart
client's one.

After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.

Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").


How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?


Any help would be appreciated.

Thank you in advance.
Steve Grubb
2018-04-12 14:32:17 UTC
Permalink
Post by Levin Stanislav
Hello All!
I have a question.
So do I. :-)

Which version of the audit package are you using? There were some logging
robustness updates in the 2.8 series.
Post by Levin Stanislav
Let's assume we have client's audit service and audit gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
So, if I understand this scenario, you are starting the client side while the
server is down?
Post by Levin Stanislav
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart?
Typically, you need to send SIGUSR2 to audisp-remote.
Post by Levin Stanislav
Is it possible by any settings/configs?
Any help would be appreciated.
I'll look into it, but please if you could let me know the answer to the
above 2 questions.

-Steve
Steve Grubb
2018-06-20 17:55:35 UTC
Permalink
Post by Levin Stanislav
Let's assume we have client's audit service and audit gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?
Please give audit-2.8.4 a shot. It should solve this problem.

-Steve
Levin Stanislav
2018-06-26 13:19:43 UTC
Permalink
Hello, Steve!

The solution is verified! There is no problem.

Thank you so much!

Good luck!
Post by Steve Grubb
Post by Levin Stanislav
Let's assume we have client's audit service and audit gatherer placed on
a remote host.
Using au-remote plugin client sends logs to remote.
Let's stop (do not start then) remote's audit service and restart
client's one.
After that overcome max_restarts limit (e.g. default 10) from
/etc/audisp/audispd.conf by audit's events.
Then start remote's audit service and trigger any audit event on client.
But audisp-remote process is dead ("plugin /sbin/audisp-remote has
exceeded max_restarts").
How can i solve this issue without client's audit service
restart? Is it possible by any settings/configs?
Please give audit-2.8.4 a shot. It should solve this problem.
-Steve
Loading...