audit_backlog_limit messages
(decided it was best to move this discussion to the list)
We're hitting a system hang that repeatedly displays this to the terminal:
audit: audit_backlog=258 > audit_backlog_limit=256
audit: audit_lost=58 audit_rate_limit=0 audit_backlog_limit=256
audit: audit_backlog_limit exceeded
The systems (we're seeing it on multiple platforms) were running simple
testcases that used this audit rule:
auditctl -a exit,always -F auid=<tester_auid>
I was able to reproduce the hang on my system. Here's some info about my
environment before running the test:
# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=1143 rate_limit=0 backlog_limit=256
lost=0 backlog=0
auditctl version 0.9.14
Linux 2.6.9-11.EL.audit.71 SMP ppc64
Steve Grubb <sgrubb(a)redhat.com> wrote on 06/29/2005 09:03:34 AM:
On Tuesday 28 June 2005 18:53, Debora Velarde wrote:
> Is 'auditctl -a exit,always -F auid=<tester_auid>' not a reasonable
filter
> rule, and therefore we shouldn't worry about this?
This is a reasonable rule. However, I don't know anything else
about your
environment. What do you have for flush? How big is your backlog queue?
These
matter more than the rule.
Attachments:
- attachment.html (text/html — 1.5 KB)