I had the same issue and answered by Steve Grubb <sgrubb(a)redhat.com&gt; you may increase net.core.rmem_default ## In short. The default netlink buffer is set by this sysctl: # sysctl net.core.rmem_default net.core.rmem_default = 212992 200k should be plenty to hold a 9k netlink packet at the most. 2024년 1월 2일 (화) 오후 5:35, <anurag19aggarwal(a)gmail.xn--com&gt;-4f21ay07k 작성: > > Hello All, > > We use an auditd plugin to monitor system calls like socket, connect etc. This plugin read data from audit netlink socket and converts into a internal format. > > Recently we are noticing that on some distributions like Oracle 9, Kernel Version: 5.15.0-100.96.32.el9uek.x86_64, our plugin is not coming up. > > We see the below log in the output of "systemctl status auditd" command: > Error receiving audit netlink packet (No buffer space available) > > I have tried to increase the q_depth, and backlog limit of auditd, but still hitting this error. > > Any suggestions or help? > > Regards > Anurag > _______________________________________________ > Linux-audit mailing list -- linux-audit(a)lists.linux-audit.osci.io > To unsubscribe send an email to linux-audit-leave(a)lists.linux-audit.osci.io