/var/log/messages: backlog limit exceeded
Denise Garrett
dmgarret at us.ibm.com
Wed Jun 15 19:10:21 UTC 2005
Howdy,
I am currently working with the attached test, config3_test, that I have
pasted into a text file below. Config3 (assertions 4 and 5) fail on
multiple platforms that contain audit-0.9.4-1, although they will pass
with earlier audits. When it is ran the messages file in var/log/messages
is filled with the following repeating lines during the problem cases.
Jun 15 09:36:05 xracer1 auditd: The audit daemon is exiting.
Jun 15 09:36:05 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup failed
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65593 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 auditd: auditd startup succeeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65594 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65595 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
Jun 15 09:36:06 xracer1 kernel: audit: audit_backlog=257 >
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: audit_lost=65596 audit_rate_limit=0
audit_backlog_limit=256
Jun 15 09:36:06 xracer1 kernel: audit: backlog limit exceeded
The problem persists even with changing the backlog limit. Here are the
results in /var/log/messages with different limits.
backlog limit < 8000: Jun 15 00:38:43 bracer3 kernel: audit: backlog
limit exceeded
Jun 15 00:38:43 bracer3 auditd[6013]: Audit daemon rotating log file
s
Jun 15 00:38:43 bracer3 kernel: audit: audit_backlog=8001 >
audit_backlog_limit=8000
backlog limit > 9000
Jun 15 00:48:29 bracer3 auditd: auditd shutdown failed
Jun 15 00:48:29 bracer3 auditd: Value -1 should only be numbers - line
10
Jun 15 00:48:29 bracer3 auditd: The audit daemon is exiting.
Jun 15 00:48:29 bracer3 auditd: auditd startup failed
Jun 15 00:48:36 bracer3 auditd: auditd startup succeeded
Jun 15 00:48:36 bracer3 auditd[6832]: Init complete, audit pid set to:
6832
Jun 15 00:48:37 bracer3 auditd[6832]: Audit daemon rotating log files
Jun 15 00:49:08 bracer3 last message repeated 109 times
Jun 15 00:49:17 bracer3 last message repeated 33 times
Jun 15 00:49:20 bracer3 auditd[6832]: The audit daemon is exiting.
Jun 15 00:49:21 bracer3 auditd: auditd shutdown succeeded
Jun 15 00:49:21 bracer3 kernel: audit: *NO* daemon at audit_pid=6832
Jun 15 00:49:21 bracer3 kernel: audit(1118814561.489:5030167):
auid=500 removed an audit rule
Jun 15 00:49:21 bracer3 kernel:
Jun 15 00:49:21 bracer3 kernel: audit(1118814561.693:5030173):
auid=500 removed an audit rule
Jun 15 00:49:21 bracer3 kernel:
Jun 15 00:49:21 bracer3 kernel: audit(1118814561.897:5030179):
auid=500 removed an audit rule
Jun 15 00:49:21 bracer3 kernel:
Jun 15 00:49:22 bracer3 kernel: audit(1118814562.101:5030185):
auid=500 removed an audit rule
Jun 15 00:49:22 bracer3 kernel:
Jun 15 00:49:22 bracer3 kernel: audit(1118814562.305:5030191):
auid=500 removed an audit rule
Jun 15 00:49:22 bracer3 kernel:
Jun 15 00:49:22 bracer3 kernel: audit(1118814562.509:5030197):
auid=500 removed an audit rule
Jun 15 00:49:22 bracer3 kernel:
When the commands are done manually for only assertion 4 it passes. This
is because assertion 3 causes the load that sends the messages to
/var/log/messages. Here is the loop and ruleset used by assertion 3.
for (lc1 = 0; lc1 < 2000; lc1++) {
syscall(__NR_mkdir,dirname,mode);
syscall(__NR_chmod,dirname,mode);
syscall(__NR_rmdir,dirname);
}
/* Create rules using auditctl. */
system("auditctl -a entry,always -S mkdir");
system("auditctl -a entry,always -S chmod");
system("auditctl -a entry,always -S rmdir");
system("auditctl -a exit,always -S mkdir");
system("auditctl -a exit,always -S chmod");
system("auditctl -a exit,always -S rmdir");
The line assertion 4 creates and searches for in /var/log/messages is
there but followed by many rows of the backlog limit messages pushing it
to the top of the file making it difficult to find.
Denise Garrett
dmgarret at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050615/95180886/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: config3_test.txt
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050615/95180886/attachment.txt>
More information about the Linux-audit
mailing list