I'm having trouble getting my "audit_backlog_limit" boot parameter accepted.

I have the following 2 audit parameters on my boot line:

audit=1

audit_backlog_limit=8192

My /proc/cmdline shows them both once booted up.

But I'm not getting the audit_backlog_limit applied to the kernel audit startup. I have a auditctl -b 8192 that runs from the audit.rules, and the resulting CONFIG_change event shows "...audit_backlog_limit=8192, old=64...".

After startup I run:

# auditctl -s

and see that I've lost 93 events.

Looking at the kernel code, I see that if the "audit=1" value is set, it should print:

"enabled (after initialization)" , which I see in both dmesg and /var/log/messages,

The second one (audit_backlog_limit=8192) should output IIUC:

It's as if the parameter is being ignored. I've tried moving it to a different spot so it isn't the last on the line, etc. Nothing.

I stumbled on this because I'm not seeing the "SYSTEM_BOOT" events anymore; I suspect they are in the missing ones.

Pretty sure I don't have a typo; I've put it into the grub config and run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from that. Again, the parameter is there in /proc/cmdline but doesn't seem to be accepted. No warnings about it either AFAICT.

RHEL7.6, kernel 3.10.0-957

Don't think the audit userspace version makes much difference, but it is 2.8.5.

Thanks in advance,

LCB

-- 
Lenny Bruzenak
MagitekLTD