Auditd errors on busy hosts when rolling over log files
Steve Grubb
sgrubb at redhat.com
Mon Nov 4 13:24:02 UTC 2013
On Monday, November 04, 2013 07:46:18 PM Burn Alting wrote:
> Hi,
>
> I have some quite busy hosts, that emit the following errors when I
> request the audit log file is rolled over (via a kill -s USR1
> auditdpid).
>
> Error receiving audit netlink packet(No buffer space available)
> Error sending signal_info request (No buffer space available)
>
> >From reading earlier posts (circa 2009) it would appear my options are
>
> a. Increase backlog buffer (currently 32768)
> b. Increase priority_boost (currently 4)
> c. Reduce the number of log files (currently 9)
Another corollary to this is that you can increase the file size and decrease
the total files which would help on rotation.
> Does anyone have a feel for which of the above should offer the best
> return?
There are 2 more options:
1) Review the rules to make sure you are not getting events that you really do
not need. If you have a lot of false positives, then you might add some
arguments that better narrow the results. For example, perhaps you have this
rule:
-a always,exit -F arch=b64 -S clock_settime -k time-change
This can give a lot of false positives. The one that really matters is when a
program sets CLOCK_REALTIME (the wall clock). So, the rule can be re-written
as:
-a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change
which narrows its scope.
2) You might experiment with cgroups.
> Are their other configuration parameters I could adjust (aside from
> changing my ruleset in audit.rules)?
There might be general disk tuning parameters in sysctl that could help as
well. Choice of file system also has performance impacts. I haven't done any
experimenting on the performance side, but I know there are people here that
also have very busy systems.
-Steve
More information about the Linux-audit
mailing list