Hi Each publisher contain a `run ` function that g

Question

< Jean M> Hi Each publisher contain a `run ` function that gets called periodically and so drives the event collection and publishing logic Each time that function gets called it will increase that value you see

Jean M · Answer

OK I assume if it s increasing fast it means the corresponding event is being triggered frequently

Jean M · Answer

do you know if there s any table field information that store lost events information

Stefano Bonicatti · Answer

For the refreshes count that is always increasing either if you are actually collecting and sending events or not There s a base delay between calls which is 200ms to avoid busy loops

Stefano Bonicatti · Answer

Well I should add if the publisher is enabled and is not being tear down

Jean M · Answer

Thanks

alessandrogario · Answer

There is no table that captures data about events that have been lost Speaking about the Audit based publishers it is possible to request how many events have been lost but has not been implemented yet This value can be manually inspected by running `auditctl status` from the shell

alessandrogario · Answer

The effect of a lost event most of the time leads to missing records in the re assembly phase of the full event This is logged as an error but is not accessible from a table