Apologies if this has been answered. I searched and found some relevant-looking dialog 2 years ago (on 12/14/2018) that Paul/RGB/Ondrej were discussing, however I do not see the answer.

I'm running userspace 2.8.5 , kernel 3.10.0-1160.

I have boot parameters "audit=1 ... audit_backlog_limit=8192" .

Immediately after boot, I use "auditctl -s and see hundreds (varies, between 119-330) of lost records.

So I cleaned out all the audit data, rebooted again and examined the events.

They are numbered sequentially 1-515. I counted the events and they match (515).

So my questions are these:

• Is this "lost" value accurate?
• If the numbering doesn't indicate any gaps, what does that tell me? The kernel is supplying the serial number (right?), so is it discarding the events without assigning a serial number?
• Do I have something wrong with my kernel boot parameters?

I'd have thought that 8k buffers would be enough, and certainly if I only have 515 events, should be. Unless, each record inside the event is adding. I also then counted each record, not just events, and got around 1600, so I'd have thought that even multi-record events would have fit. I guess that depends on the buffer size.

Appreciate the help in advance; thanks.

LCB

-- 
Lenny Bruzenak
MagitekLTD