lost events on boot

Apologies if this has been answered. I searched and found some relevant-looking dialog 2 years ago (on 12/14/2018) that Paul/RGB/Ondrej were discussing, however I do not see the answer. I'm running userspace 2.8.5 , kernel 3.10.0-1160. I have boot parameters "audit=1 ... audit_backlog_limit=8192" . Immediately after boot, I use "auditctl -s and see hundreds (varies, between 119-330) of lost records. So I cleaned out all the audit data, rebooted again and examined the events. They are numbered sequentially 1-515. I counted the events and they match (515). So my questions are these: * Is this "lost" value accurate? * If the numbering doesn't indicate any gaps, what does that tell me? The kernel is supplying the serial number (right?), so is it discarding the events without assigning a serial number? * Do I have something wrong with my kernel boot parameters? I'd have thought that 8k buffers would be enough, and certainly if I only have 515 events, should be. Unless, each record inside the event is adding. I also then counted each record, not just events, and got around 1600, so I'd have thought that even multi-record events would have fit. I guess that depends on the buffer size. Appreciate the help in advance; thanks. LCB -- Lenny Bruzenak MagitekLTD