Commit 2b5cf2c6 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

add overflow_action parameter

parent 6b3b594a
release/002.002 (2017-12-31)
Make the file /etc/audisp/audispd.conf a template file so we can
override the overflow action. Add the parameter
audit::auditd::overflow_action in support of this. (adamhl)
release/002.001 (2017-11-01)
Due to the changes to the parameters and some heavy refactoring,
......
......@@ -26,6 +26,12 @@
# rsyslog will forward lines from /var/log/audisp-simplify to the
# logsink server.
# Default: true
#
# $overflow_action: What to do if the audispd process queue gets full. The
# default is 'SYSLOG' which sends error messages to /var/log/syslog. Howver,
# this can in cause the disk to get full with these messages, so to avoid
# this, you can set the value to 'IGNORE'.
# Default: 'SYSLOG'
define audit::auditd (
......@@ -40,6 +46,7 @@ define audit::auditd (
$use_logsink_server = true,
$space_left = 5000,
$space_left_action = 'SYSLOG',
$overflow_action = 'SYSLOG',
$ensure
) {
......@@ -84,8 +91,8 @@ define audit::auditd (
# Where to send the audit logs.
file { '/etc/audisp/audispd.conf':
source => "$afile/etc/audisp/audispd.conf",
require => Package['auditd'];
content => template('audit/etc/audisp/audispd.conf.erb'),
require => Package['auditd'];
}
# Setup audisp-simplify.
......
#
# This file controls the configuration of the audit event
# This file controls the configuration of the audit event
# dispatcher daemon, audispd.
#
q_depth = 32767
overflow_action = SYSLOG
overflow_action = <%= @overflow_action %>
priority_boost = 4
max_restarts = 10
name_format = HOSTNAME
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment