Re: [PATCH v2] audit: report audit wait metric in audit status reply

I would like to suggest providing a mechanism where admins can query the status or state of backlog issues (wait time, sums, etc...).  Maybe the intent is to expand the output of status checking of auditd. I believe further clarity is beneficial on the setting of the 'backlog_wait_sum' (or to whatever the name evolves to) initially.-  How it evolves over time-  What the conditions in the system, or auditing, would change it-  What conditions admins should pay attention to for informational understanding of status -  What conditions admins should realize exist such that adjustments are needed   (and suggestions to what those adjustments should be)-  What new guidance will admins have for building adjusting audit.rules around this Consider the scenario where auditing has been 'working fine' for days.Little to no active admin monitoring.Events occur to spike the auditing such that backloging of audit records dramatically increases.(for some reason) admins now come looking to investigate.Assuming they do:  'systemctl status auditd' the newly presented 'state' of the 'backlog_wait_sum' will show some evidence.Q:  Is that just a moment in time?Q:  What information here will give the perspective things are good/ok 'now', versus some action needs to be taken? Maybe that isn't a great scenario, or good questions----it is what occurs to me at the moment. Thank you. R,-Joe Wulf On Wednesday, July 1, 2020, 5:33:14 PM EDT, Max Englander <max.englander(a)gmail.com&gt; wrote: <snip>