Provided by: auditd_1.6.5-0ubuntu3_i386
audispd - the audit event dispatcher configuration file
audispd.conf is the file that controls the configuration of the audit
event dispatcher. The options that are available are as follows:
This is a numeric value that tells how big to make the internal
queue of the audit event dispatcher. A bigger queue lets it
handle a flood of events better, but could hold events that are
not processed when the daemon is terminated. If you get messages
in syslog about events getting dropped, increase this value. The
default value is 64.
This option determines how the daemon should react to
overflowing its internal queue. When this happens, it means that
more events are being received than it can get rid of. This
error means that it is going to lose the current event its
trying to dispatch. It has the following choices: ignore,
syslog, suspend, single, and halt. If set to ignore, the audisp
daemon does nothing. syslog means that it will issue a warning
to syslog. suspend will cause the audisp daemon to stop
processing events. The daemon will still be alive. The single
option will cause the audisp daemon to put the computer system
in single user mode. halt option will cause the audisp daemon
to shutdown the computer system.
This option controls how computer node names are inserted into
the audit event stream. It has the following choices: none,
hostname, fqd, numeric, and user. None means that no computer
name is inserted into the audit event. hostname is the name
returned by the gethostname syscall. The fqd means that it takes
the hostname and resolves it with dns for a fully qualified
domain name of that machine. Numeric is similar to fqd except
it resolves the IP address of the machine. User is an admin
defined string from the name option. The default value is none.
name This is the admin defined string that identifies the machine if
user is given as the name_format option.