Re: boot parameter question

I'm having trouble getting my "audit_backlog_limit" boot parameter accepted. I have the following 2 audit parameters on my boot line: audit=1 audit_backlog_limit=8192 My /proc/cmdline shows them both once booted up. But I'm not getting the audit_backlog_limit applied to the kernel audit startup. I have a auditctl -b 8192 that runs from the audit.rules, and the resulting CONFIG_change event shows "...audit_backlog_limit=8192, old=64...". After startup I run: # auditctl -s and see that I've lost 93 events. Looking at the kernel code, I see that if the "audit=1" value is set, it should print: "enabled (after initialization)" , which I see in both dmesg and /var/log/messages, The second one (audit_backlog_limit=8192) should output IIUC: "audit_backlog_limit: "  , which I don't see anywhere. It's as if the parameter is being ignored. I've tried moving it to a different spot so it isn't the last on the line, etc. Nothing.

I stumbled on this because I'm not seeing the "SYSTEM_BOOT" events anymore; I suspect they are in the missing ones. Pretty sure I don't have a typo; I've put it into the grub config and run the grub2-mkconfig -o /boot/grub2/grub.cfg and booted from that. Again, the parameter is there in /proc/cmdline but doesn't seem to be accepted. No warnings about it either AFAICT. RHEL7.6, kernel 3.10.0-957 Don't think the audit userspace version makes much difference, but it is 2.8.5. Thanks in advance, LCB -- Lenny Bruzenak