Jun 15 09:36:05 xracer1 auditd: The audit daemon is exiting.
Jun 15 09:36:05 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup failed
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65593 audit_rate_limit=0 audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup succeeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65594 audit_rate_limit=0 audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65595 audit_rate_limit=0 audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65596 audit_rate_limit=0 audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded

The problem persists even with changing the backlog limit. Here are the results in /var/log/messages with different limits.

backlog limit < 8000:  Jun 15 00:38:43 bracer3 kernel: audit: backlog limit exceeded
     Jun 15 00:38:43 bracer3 auditd[6013]: Audit daemon rotating log file s
     Jun 15 00:38:43 bracer3 kernel: audit: audit_backlog=8001 > audit_backlog_limit=8000
backlog limit > 9000
    Jun 15 00:48:29 bracer3 auditd: auditd shutdown failed
    Jun 15 00:48:29 bracer3 auditd: Value -1 should only be numbers - line 10
    Jun 15 00:48:29 bracer3 auditd: The audit daemon is exiting.
    Jun 15 00:48:29 bracer3 auditd: auditd startup failed
    Jun 15 00:48:36 bracer3 auditd: auditd startup succeeded
    Jun 15 00:48:36 bracer3 auditd[6832]: Init complete, audit pid set to: 6832
    Jun 15 00:48:37 bracer3 auditd[6832]: Audit daemon rotating log files
    Jun 15 00:49:08 bracer3 last message repeated 109 times
    Jun 15 00:49:17 bracer3 last message repeated 33 times
    Jun 15 00:49:20 bracer3 auditd[6832]: The audit daemon is exiting.
    Jun 15 00:49:21 bracer3 auditd: auditd shutdown succeeded
    Jun 15 00:49:21 bracer3 kernel: audit: *NO* daemon at audit_pid=6832
    Jun 15 00:49:21 bracer3 kernel: audit(1118814561.489:5030167): auid=500 removed an audit rule
    Jun 15 00:49:21 bracer3 kernel:
    Jun 15 00:49:21 bracer3 kernel: audit(1118814561.693:5030173): auid=500 removed an audit rule
    Jun 15 00:49:21 bracer3 kernel:
    Jun 15 00:49:21 bracer3 kernel: audit(1118814561.897:5030179): auid=500 removed an audit rule
    Jun 15 00:49:21 bracer3 kernel:
    Jun 15 00:49:22 bracer3 kernel: audit(1118814562.101:5030185): auid=500 removed an audit rule
    Jun 15 00:49:22 bracer3 kernel:
    Jun 15 00:49:22 bracer3 kernel: audit(1118814562.305:5030191): auid=500 removed an audit rule
    Jun 15 00:49:22 bracer3 kernel:
    Jun 15 00:49:22 bracer3 kernel: audit(1118814562.509:5030197): auid=500 removed an audit rule
    Jun 15 00:49:22 bracer3 kernel:

When the commands are done manually for only assertion 4 it passes. This is because assertion 3 causes the load that sends the messages to /var/log/messages. Here is the loop and ruleset used by assertion 3.
 for (lc1 = 0; lc1 < 2000; lc1++) {
            syscall(__NR_mkdir,dirname,mode);
            syscall(__NR_chmod,dirname,mode);
            syscall(__NR_rmdir,dirname);
          }

  /* Create rules using auditctl. */
     system("auditctl -a entry,always -S mkdir");
     system("auditctl -a entry,always -S chmod");
     system("auditctl -a entry,always -S rmdir");
     system("auditctl -a exit,always -S mkdir");
     system("auditctl -a exit,always -S chmod");
     system("auditctl -a exit,always -S rmdir");

The line assertion 4 creates and searches for in /var/log/messages is there but followed by many rows of the backlog limit messages pushing it to the top of the file making it difficult to find.

Denise Garrett
dmgarret@us.ibm.com