Hello, I found a memory leak problem when the the ”log_format = NOLOG“ is set in auditd.conf. See the code in function "void enqueue_event(struct auditd_reply_list *rep)" in "/src/auditd-event.c", If it comes into the case LF_NOLOG, then there is no chance to free the rep->reply.message because it returns so that the message cannot be dequeued in function "static void *event_thread_main(void *arg) " to free it. The same problem may occurs in case "default:" below the case LF_NOLOG. When the message type is between AUDIT_FIRST_DAEMON and AUDIT_LAST_DAEMON, the rep->reply.message will be malloced in function "int send_audit_event(int type, const char *str)" in "/src/auditd.c". So I write a patch below, but I'm not sure whether this is the correct way to submit a patch because this is my first submmition. So please tell me if I'm wrong. --- a/src/auditd-event.c +++ b/src/auditd-event.c @@ -172,6 +172,11 @@ void enqueue_event(struct auditd_reply_list *rep) case LF_NOLOG: // We need the rotate event to get enqueued if (rep->reply.type != AUDIT_DAEMON_ROTATE ) { + /* Internal DAEMON messages should be free'd */ + if (rep->reply.type >= AUDIT_FIRST_DAEMON && + rep->reply.type <= AUDIT_LAST_DAEMON) { + free((void *)rep->reply.message); + } free(rep); return; } @@ -180,6 +185,11 @@ void enqueue_event(struct auditd_reply_list *rep) audit_msg(LOG_ERR, "Illegal log format detected %d", consumer_data.config->log_format); + /* Internal DAEMON messages should be free'd */ + if (rep->reply.type >= AUDIT_FIRST_DAEMON && + rep->reply.type <= AUDIT_LAST_DAEMON) { + free((void *)rep->reply.message); + } free(rep); return; }