1AUDISPD.CONF:(5)        System Administration Utilities       AUDISPD.CONF:(5)
2
3
4

NAME

6       audispd.conf - the audit event dispatcher configuration file
7

DESCRIPTION

9       audispd.conf  is  the file that controls the configuration of the audit
10       event dispatcher. Each line should contain one  configuration  keyword,
11       an  equal sign, and then followed by appropriate configuration informa‐
12       tion. All option names and values are case  insensitive.  The  keywords
13       recognized  are listed and described below. Each line should be limited
14       to 160 characters or the line will be skipped. You may add comments  to
15       the file by starting the line with a '#' character.
16
17
18       q_depth
19              This  is a numeric value that tells how big to make the internal
20              queue of the audit event dispatcher. A bigger queue lets it han‐
21              dle a flood of events better, but could hold events that are not
22              processed when the daemon is terminated. If you get messages  in
23              syslog  about  events  getting dropped, increase this value. The
24              default value is 80.
25
26       overflow_action
27              This option determines how the daemon should react to  overflow‐
28              ing  its  internal  queue. When this happens, it means that more
29              events are being received than it can get  rid  of.  This  error
30              means  that  it is going to lose the current event its trying to
31              dispatch. It has the following choices: ignore, syslog, suspend,
32              single,  and  halt.   If  set  to ignore, the audisp daemon does
33              nothing.  syslog means that it will issue a warning  to  syslog.
34              suspend  will cause the audisp daemon to stop processing events.
35              The daemon will still be alive. The single option will cause the
36              audisp  daemon  to  put the computer system in single user mode.
37              halt option will cause the audisp daemon to  shutdown  the  com‐
38              puter system.
39
40       priority_boost
41              This  is  a  non-negative number that tells the audit event dis‐
42              patcher how much of a priority boost it should take. This  boost
43              is  in addition to the boost provided from the audit daemon. The
44              default is 4. No change is 0.
45
46       max_restarts
47              This is a non-negative number that tells the  audit  event  dis‐
48              patcher  how  many times it can try to restart a crashed plugin.
49              The default is 10.
50
51       name_format
52              This option controls how computer node names are  inserted  into
53              the  audit  event  stream.  It  has the following choices: none,
54              hostname, fqd, numeric, and user.  None means that  no  computer
55              name  is  inserted  into  the audit event.  hostname is the name
56              returned by the gethostname syscall. The fqd means that it takes
57              the  hostname  and  resolves  it  with dns for a fully qualified
58              domain name of that machine.  Numeric is similar to  fqd  except
59              it  resolves  the  IP  address of the machine.  User is an admin
60              defined string from the name option. The default value is none.
61
62       name   This is the admin defined string that identifies the machine  if
63              user is given as the name_format option.
64
65       plugin_dir
66              This  is  the  location  that audispd will use to search for its
67              plugin configuration files.
68

SEE ALSO

70       audispd(8)
71
72
73
74Red Hat                           March 2014                  AUDISPD.CONF:(5)
Impressum