/var/log/messages: backlog limit exceeded

Denise Garrett dmgarret at us.ibm.com
Wed Jun 15 19:10:21 UTC 2005 

Howdy,

I am currently working with the attached test, config3_test, that I have 
pasted into a text file below. Config3 (assertions 4 and 5) fail on 
multiple platforms that contain audit-0.9.4-1, although they will pass 
with earlier audits. When it is ran the messages file in var/log/messages 
is filled with the following repeating lines during the problem cases. 

Jun 15 09:36:05 xracer1 auditd: The audit daemon is exiting.
Jun 15 09:36:05 xracer1 kernel: audit: audit_backlog=257 > 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup failed
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65593 audit_rate_limit=0 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup succeeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65594 audit_rate_limit=0 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65595 audit_rate_limit=0 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 > 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65596 audit_rate_limit=0 
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded

The problem persists even with changing the backlog limit. Here are the 
results in /var/log/messages with different limits. 

backlog limit < 8000:  Jun 15 00:38:43 bracer3 kernel: audit: backlog 
limit exceeded
     Jun 15 00:38:43 bracer3 auditd[6013]: Audit daemon rotating log file 
s
     Jun 15 00:38:43 bracer3 kernel: audit: audit_backlog=8001 > 
audit_backlog_limit=8000
backlog limit > 9000 
    Jun 15 00:48:29 bracer3 auditd: auditd shutdown failed
    Jun 15 00:48:29 bracer3 auditd: Value -1 should only be numbers - line 
10
    Jun 15 00:48:29 bracer3 auditd: The audit daemon is exiting.
    Jun 15 00:48:29 bracer3 auditd: auditd startup failed
    Jun 15 00:48:36 bracer3 auditd: auditd startup succeeded
    Jun 15 00:48:36 bracer3 auditd[6832]: Init complete, audit pid set to: 
6832
    Jun 15 00:48:37 bracer3 auditd[6832]: Audit daemon rotating log files
    Jun 15 00:49:08 bracer3 last message repeated 109 times
    Jun 15 00:49:17 bracer3 last message repeated 33 times
    Jun 15 00:49:20 bracer3 auditd[6832]: The audit daemon is exiting.
    Jun 15 00:49:21 bracer3 auditd: auditd shutdown succeeded
    Jun 15 00:49:21 bracer3 kernel: audit: *NO* daemon at audit_pid=6832
    Jun 15 00:49:21 bracer3 kernel: audit(1118814561.489:5030167): 
auid=500 removed an audit rule
    Jun 15 00:49:21 bracer3 kernel:
    Jun 15 00:49:21 bracer3 kernel: audit(1118814561.693:5030173): 
auid=500 removed an audit rule
    Jun 15 00:49:21 bracer3 kernel:
    Jun 15 00:49:21 bracer3 kernel: audit(1118814561.897:5030179): 
auid=500 removed an audit rule
    Jun 15 00:49:21 bracer3 kernel:
    Jun 15 00:49:22 bracer3 kernel: audit(1118814562.101:5030185): 
auid=500 removed an audit rule
    Jun 15 00:49:22 bracer3 kernel:
    Jun 15 00:49:22 bracer3 kernel: audit(1118814562.305:5030191): 
auid=500 removed an audit rule
    Jun 15 00:49:22 bracer3 kernel:
    Jun 15 00:49:22 bracer3 kernel: audit(1118814562.509:5030197): 
auid=500 removed an audit rule
    Jun 15 00:49:22 bracer3 kernel:

When the commands are done manually for only assertion 4 it passes. This 
is because assertion 3 causes the load that sends the messages to 
/var/log/messages. Here is the loop and ruleset used by assertion 3.
 for (lc1 = 0; lc1 < 2000; lc1++) {
            syscall(__NR_mkdir,dirname,mode);
            syscall(__NR_chmod,dirname,mode);
            syscall(__NR_rmdir,dirname);
          }

  /* Create rules using auditctl. */
     system("auditctl -a entry,always -S mkdir");
     system("auditctl -a entry,always -S chmod");
     system("auditctl -a entry,always -S rmdir");
     system("auditctl -a exit,always -S mkdir");
     system("auditctl -a exit,always -S chmod");
     system("auditctl -a exit,always -S rmdir");

The line assertion 4 creates and searches for in /var/log/messages is 
there but followed by many rows of the backlog limit messages pushing it 
to the top of the file making it difficult to find. 

Denise Garrett
dmgarret at us.ibm.com










-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050615/95180886/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config3_test.txt
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050615/95180886/attachment.txt>

More information about the Linux-audit mailing list