audit_backlog_limit messages
Debora Velarde
dvelarde at us.ibm.com
Wed Jun 29 22:53:41 UTC 2005
(decided it was best to move this discussion to the list)
We're hitting a system hang that repeatedly displays this to the terminal:
audit: audit_backlog=258 > audit_backlog_limit=256
audit: audit_lost=58 audit_rate_limit=0 audit_backlog_limit=256
audit: audit_backlog_limit exceeded
The systems (we're seeing it on multiple platforms) were running simple
testcases that used this audit rule:
auditctl -a exit,always -F auid=<tester_auid>
I was able to reproduce the hang on my system. Here's some info about my
environment before running the test:
# auditctl -s
AUDIT_STATUS: enabled=1 flag=1 pid=1143 rate_limit=0 backlog_limit=256
lost=0 backlog=0
auditctl version 0.9.14
Linux 2.6.9-11.EL.audit.71 SMP ppc64
Steve Grubb <sgrubb at redhat.com> wrote on 06/29/2005 09:03:34 AM:
> On Tuesday 28 June 2005 18:53, Debora Velarde wrote:
> > Is 'auditctl -a exit,always -F auid=<tester_auid>' not a reasonable
filter
> > rule, and therefore we shouldn't worry about this?
> This is a reasonable rule. However, I don't know anything else about your
> environment. What do you have for flush? How big is your backlog queue?
These
> matter more than the rule.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20050629/63a15585/attachment.htm>
More information about the Linux-audit
mailing list