I'm designing a filesystem operations (file creation, file deletion, file open, permissions change, etc) and process executions tracking application using Auditbeat. This tracking app should not lose events in any case, so I'm checking all crash possibilities and how the app could handle them.
If Auditbeat crashes, do I lose auditd events until it's restarted ? My understanding is that I would not lose events if auditbeat gets restarted before the kernel event queue fills up. Is that right?
If Auditbeat is killed, do I lose auditd events until it's restarted? I hope that the action defined in the failure_mode config option will be taken (in other words, does Auditbeat handle a SIGTERM/SIGINT OS signal and does whatever is specified in failure_mode) ? If that is true, I could set the "panic" value in failure_mode and be sure I would not lose events. I'm aware that Auditbeat would not be notified if it was terminated forcefully with a SIGKILL and can do nothing about it.
Most important question: if Auditbeat crashes or is killed, it's not restarted until the kernel event queue fills up and I lose events, will auditbeat detect that when it restarts and log the incident?