What does this mean from dmesg?
Steve Grubb
sgrubb at redhat.com
Fri Dec 21 17:17:03 UTC 2007
On Friday 21 December 2007 10:53:01 Gilbert Sebenste wrote:
> Getting lots of these when doing dmesg:
>
> audit: audit_backlog=321 > audit_backlog_limit=320
> audit: audit_lost=1700 audit_rate_limit=0 audit_backlog_limit=320
> audit: backlog limit exceeded
It means that you are getting flooded with audit events. You can increase the
audit daemon's priority to make sure it has enough run time to empty its
queue or lengthen the backlog.
To lengthen the backlog, edit /etc/audit/audit.rules and change the "-b 320"
to "-b 8192". This will allocate 8192 buffers in the kernel for audit events
instead of 320. If that doesn't do it, bump the priority by
editing /etc/audit/auditd.conf and change "priority_boost = 3"
to "priority_boost = 4" or 5.
But this begs the question about what is flooding your system. To find out,
run "aureport --start today" and look around to see what kind of things is
happening. Maybe "aureport --start today --event --summary -i" would be
helpful, too.
-Steve
More information about the fedora-test-list
mailing list