1AUDISPD.CONF:(5) System Administration Utilities AUDISPD.CONF:(5)
2
3
4
6 audispd.conf - the audit event dispatcher configuration file
7
9 audispd.conf is the file that controls the configuration of the audit
10 event dispatcher. Each line should contain one configuration keyword,
11 an equal sign, and then followed by appropriate configuration informa‐
12 tion. All option names and values are case insensitive. The keywords
13 recognized are listed and described below. Each line should be limited
14 to 160 characters or the line will be skipped. You may add comments to
15 the file by starting the line with a '#' character.
16
17
18 q_depth
19 This is a numeric value that tells how big to make the internal
20 queue of the audit event dispatcher. A bigger queue lets it han‐
21 dle a flood of events better, but could hold events that are not
22 processed when the daemon is terminated. If you get messages in
23 syslog about events getting dropped, increase this value. The
24 default value is 80.
25
26 overflow_action
27 This option determines how the daemon should react to overflow‐
28 ing its internal queue. When this happens, it means that more
29 events are being received than it can get rid of. This error
30 means that it is going to lose the current event its trying to
31 dispatch. It has the following choices: ignore, syslog, suspend,
32 single, and halt. If set to ignore, the audisp daemon does
33 nothing. syslog means that it will issue a warning to syslog.
34 suspend will cause the audisp daemon to stop processing events.
35 The daemon will still be alive. The single option will cause the
36 audisp daemon to put the computer system in single user mode.
37 halt option will cause the audisp daemon to shutdown the com‐
38 puter system.
39
40 priority_boost
41 This is a non-negative number that tells the audit event dis‐
42 patcher how much of a priority boost it should take. This boost
43 is in addition to the boost provided from the audit daemon. The
44 default is 4. No change is 0.
45
46 max_restarts
47 This is a non-negative number that tells the audit event dis‐
48 patcher how many times it can try to restart a crashed plugin.
49 The default is 10.
50
51 name_format
52 This option controls how computer node names are inserted into
53 the audit event stream. It has the following choices: none,
54 hostname, fqd, numeric, and user. None means that no computer
55 name is inserted into the audit event. hostname is the name
56 returned by the gethostname syscall. The fqd means that it takes
57 the hostname and resolves it with dns for a fully qualified
58 domain name of that machine. Numeric is similar to fqd except
59 it resolves the IP address of the machine. User is an admin
60 defined string from the name option. The default value is none.
61
62 name This is the admin defined string that identifies the machine if
63 user is given as the name_format option.
64
65 plugin_dir
66 This is the location that audispd will use to search for its
67 plugin configuration files.
68
70 audispd(8)
71
72
73
74Red Hat March 2014 AUDISPD.CONF:(5)