buffer space
Steve Grubb
sgrubb at redhat.com
Tue Aug 18 15:53:43 UTC 2009
On Tuesday 18 August 2009 11:09:58 am LC Bruzenak wrote:
> On Tue, 2009-08-18 at 09:02 -0400, David Flatley wrote:
> > When I do "service auditd rotate" I am getting in
> > the /var/log/messages the following:
> >
> > Error receiving audit netlink packet (No buffer space available)
> > Error sending signal_info request (No buffer space available)
> >
> > At the same time I am running a regression test that is generating 20
> > meg audit logs every six to eight minutes.
> >
> > Is this a concern?
It sounds like you have a system that is auditing a lot of data. Since you are
doing regression testing, I would not be too concerned. But in general, you
can increase the priority boost for auditd and see if it gets more time slots
to drain the queue, make the log files larger, but fewer of them so rotate is
faster, increase the backlog buffer some more, or adjust what you are auditing.
> What I believe is happening is that you are generating an abnormal
> amount of audit data in your regression test. That's OK, but I think
> when you do the rotate the auditd suspends disk writes while it waits
> for the rotate to complete.
>
> IIRC, the rotate starts with the highest number log, rolls it to the
> next higher number. Then it decrements the counter and repeats. So
> log.13->log.14, then log.12->log.13, etc., and eventually moves
> audit.log to audit.log.1. Then a new audit.log is created and the flow
> resumes.
>
> While this happens, you are stacking up events from the kernel and
> eventually run out of space. On some machines where the log files are in
> the hundreds (I had around 300) I have seen the rotate take an
> appreciable amount of time.
This is true.
But having looked at the audit requirements and the given/suggested rules,
they are badly in need of correction. I would say those audit rules is the
root cause of the problem.
-Steve
More information about the Linux-audit
mailing list