Re: Auditd errors on busy hosts when rolling over log files
On Monday, November 04, 2013 07:46:18 PM Burn Alting wrote:
Hi,
I have some quite busy hosts, that emit the following errors when I
request the audit log file is rolled over (via a kill -s USR1
auditdpid).
Error receiving audit netlink packet(No buffer space available)
Error sending signal_info request (No buffer space available)
>From reading earlier posts (circa 2009) it would appear my options are
a. Increase backlog buffer (currently 32768)
b. Increase priority_boost (currently 4)
c. Reduce the number of log files (currently 9)
Another corollary to this is that you can increase the file size and decrease
the total files which would help on rotation.
Does anyone have a feel for which of the above should offer the best
return?
There are 2 more options:
1) Review the rules to make sure you are not getting events that you really do
not need. If you have a lot of false positives, then you might add some
arguments that better narrow the results. For example, perhaps you have this
rule:
-a always,exit -F arch=b64 -S clock_settime -k time-change
This can give a lot of false positives. The one that really matters is when a
program sets CLOCK_REALTIME (the wall clock). So, the rule can be re-written
as:
-a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change
which narrows its scope.
2) You might experiment with cgroups.
Are their other configuration parameters I could adjust (aside from
changing my ruleset in audit.rules)?
There might be general disk tuning parameters in sysctl that could help as
well. Choice of file system also has performance impacts. I haven't done any
experimenting on the performance side, but I know there are people here that
also have very busy systems.
-Steve