/var/log/messages: backlog limit exceeded

Howdy, I am currently working with the attached test, config3_test, that I have pasted into a text file below. Config3 (assertions 4 and 5) fail on multiple platforms that contain audit-0.9.4-1, although they will pass with earlier audits. When it is ran the messages file in var/log/messages is filled with the following repeating lines during the problem cases. Jun 15 09:36:05 xracer1 auditd: The audit daemon is exiting. Jun 15 09:36:05 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256 Jun 15 09:36:06 xracer1 auditd: auditd startup failed Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65593 audit_rate_limit=0 audit_backlog_limit=256 Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256 Jun 15 09:36:06 xracer1 auditd: auditd startup succeeded Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65594 audit_rate_limit=0 audit_backlog_limit=256 Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256 Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65595 audit_rate_limit=0 audit_backlog_limit=256 Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256 Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65596 audit_rate_limit=0 audit_backlog_limit=256 Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded The problem persists even with changing the backlog limit. Here are the results in /var/log/messages with different limits. backlog limit < 8000: Jun 15 00:38:43 bracer3 kernel: audit: backlog limit exceeded Jun 15 00:38:43 bracer3 auditd[6013]: Audit daemon rotating log file s Jun 15 00:38:43 bracer3 kernel: audit: audit_backlog=8001 > audit_backlog_limit=8000 backlog limit > 9000 Jun 15 00:48:29 bracer3 auditd: auditd shutdown failed Jun 15 00:48:29 bracer3 auditd: Value -1 should only be numbers - line 10 Jun 15 00:48:29 bracer3 auditd: The audit daemon is exiting. Jun 15 00:48:29 bracer3 auditd: auditd startup failed Jun 15 00:48:36 bracer3 auditd: auditd startup succeeded Jun 15 00:48:36 bracer3 auditd[6832]: Init complete, audit pid set to: 6832 Jun 15 00:48:37 bracer3 auditd[6832]: Audit daemon rotating log files Jun 15 00:49:08 bracer3 last message repeated 109 times Jun 15 00:49:17 bracer3 last message repeated 33 times Jun 15 00:49:20 bracer3 auditd[6832]: The audit daemon is exiting. Jun 15 00:49:21 bracer3 auditd: auditd shutdown succeeded Jun 15 00:49:21 bracer3 kernel: audit: *NO* daemon at audit_pid=6832 Jun 15 00:49:21 bracer3 kernel: audit(1118814561.489:5030167): auid=500 removed an audit rule Jun 15 00:49:21 bracer3 kernel: Jun 15 00:49:21 bracer3 kernel: audit(1118814561.693:5030173): auid=500 removed an audit rule Jun 15 00:49:21 bracer3 kernel: Jun 15 00:49:21 bracer3 kernel: audit(1118814561.897:5030179): auid=500 removed an audit rule Jun 15 00:49:21 bracer3 kernel: Jun 15 00:49:22 bracer3 kernel: audit(1118814562.101:5030185): auid=500 removed an audit rule Jun 15 00:49:22 bracer3 kernel: Jun 15 00:49:22 bracer3 kernel: audit(1118814562.305:5030191): auid=500 removed an audit rule Jun 15 00:49:22 bracer3 kernel: Jun 15 00:49:22 bracer3 kernel: audit(1118814562.509:5030197): auid=500 removed an audit rule Jun 15 00:49:22 bracer3 kernel: When the commands are done manually for only assertion 4 it passes. This is because assertion 3 causes the load that sends the messages to /var/log/messages. Here is the loop and ruleset used by assertion 3. for (lc1 = 0; lc1 < 2000; lc1++) { syscall(__NR_mkdir,dirname,mode); syscall(__NR_chmod,dirname,mode); syscall(__NR_rmdir,dirname); } /* Create rules using auditctl. */ system("auditctl -a entry,always -S mkdir"); system("auditctl -a entry,always -S chmod"); system("auditctl -a entry,always -S rmdir"); system("auditctl -a exit,always -S mkdir"); system("auditctl -a exit,always -S chmod"); system("auditctl -a exit,always -S rmdir"); The line assertion 4 creates and searches for in /var/log/messages is there but followed by many rows of the backlog limit messages pushing it to the top of the file making it difficult to find. Denise Garrett dmgarret(a)us.ibm.com