Auditd errors on busy hosts when rolling over log files
Burn Alting
burn at swtf.dyndns.org
Mon Nov 4 08:46:18 UTC 2013
Hi,
I have some quite busy hosts, that emit the following errors when I
request the audit log file is rolled over (via a kill -s USR1
auditdpid).
Error receiving audit netlink packet(No buffer space available)
Error sending signal_info request (No buffer space available)
>From reading earlier posts (circa 2009) it would appear my options are
a. Increase backlog buffer (currently 32768)
b. Increase priority_boost (currently 4)
c. Reduce the number of log files (currently 9)
Does anyone have a feel for which of the above should offer the best
return?
Are their other configuration parameters I could adjust (aside from
changing my ruleset in audit.rules)?
Thanks in advance
Burn
More information about the Linux-audit
mailing list