(decided it was best to move this discussion to the list)

We're hitting a system hang that repeatedly displays this to the terminal:
audit: audit_backlog=258 > audit_backlog_limit=256
audit: audit_lost=58 audit_rate_limit=0 audit_backlog_limit=256
audit: audit_backlog_limit exceeded

The systems (we're seeing it on multiple platforms) were running simple testcases that used this audit rule:
auditctl -a exit,always -F auid=<tester_auid>

I was able to reproduce the hang on my system. Here's some info about my environment before running the test:
# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=1143 rate_limit=0 backlog_limit=256 lost=0 backlog=0

auditctl version 0.9.14
Linux 2.6.9-11.EL.audit.71 SMP ppc64

Steve Grubb <sgrubb@redhat.com> wrote on 06/29/2005 09:03:34 AM:

> On Tuesday 28 June 2005 18:53, Debora Velarde wrote:
> > Is 'auditctl -a exit,always -F auid=<tester_auid>' not a reasonable filter
> > rule, and therefore we shouldn't worry about this?

> This is a reasonable rule. However, I don't know anything else about your
> environment. What do you have for flush? How big is your backlog queue? These
> matter more than the rule.