Red Hat Enterprise Linux 5 Administration Unleashed

Configuring the Audit Daemon 507log_formatpriority_boostflushFormat to use when writing logs. When set to RAW, the data is written to the logfile in the exact format retrieved from the kernel. When set to NOLOG, data is notwritten to the log file, but data is still sent to the audit event dispatcher if one isspecified with the dispatcher option.How much of a priority boost the audit daemon should take. Must be a nonnegativenumber with 0 indicating no change.How often to write data to log file. Value can be one of NONE, INCREMENTAL, DATA,and SYNC. If set to NONE, no special effort is made to flush data to the log file. Ifset to INCREMENTAL, the value of the freq option is used to determine how often aflush to disk occurs. If set to DATA, the audit data and log file are in constantsynchronization. If set to SYNC, the data and meta-data are synchronized withevery write to the log file.freqIf flush is set to INCREMENTAL, the number of records the audit daemon receivesfrom the kernel before writing them to the log file.25num_logsdispatcherdisp_qosNumber of log files to keep if max_log_file_action is set to ROTATE. Must be anumber from 0 to 99. If set to less than 2, logs are not rotated. If the number oflog files is increased, it might be necessary to increase the kernel backlog settingin /etc/audit/audit.rules to allow time for the log rotation. If a num_logs valueis not set, it defaults to 0, which means the log file is never rotated.Program started by the audit daemon when the daemon is started. All audit eventsare passed to the program. It can be used to further customize reports or producethem in a different format compatible with your custom analysis programs.Sample code for a customized program can be found in /usr/share/doc/audit-/skeleton.c. The dispatcher program is run with root privileges,so practice extreme caution when using this option. This option is not required.Controls the type of communication between the dispatcher and the auditdaemon. Valid values are lossy and lossless. If set to lossy, incoming eventssent to the dispatcher are discarded if the buffer between the audit daemon anddispatcher is full (the buffer is 128 kilobytes). However, events are still written todisk as long as log_format is not set to nolog. If set to lossless, the daemonwaits for the buffer to have sufficient space before sending the event to thedispatcher and before writing the log to disk.