Auditd errors on busy hosts when rolling over log files

Burn Alting burn at swtf.dyndns.org
Tue Nov 5 11:07:08 UTC 2013 

On Mon, 2013-11-04 at 08:24 -0500, Steve Grubb wrote:

Thanks Steve.
 
I did a little experimentation today.
 
On a system that generates around 7500 audit events every five minutes I
changed, without success, the following:

In auditd.conf
- changed num_logs from 9 to 5 although I didn't expect a change as I
move out the rolled over (audit.log.?) log files as part of the
processing so there shouldn't be a big file rename impost
- changed priority_boost from 4 to 8
 
In audit.rules
- changed backlog from 32K to 64K to 96K to 128K
- changed rules to reduce the recorded events per 5 minute interval from
7500 to 500-600 for the same period.
 
This particular system is running audit-1.8.2-el5 but I see a similar
problem on a RHEL 6.4 box which I believe is running audit-2.2-2.el6.
 
I did note that if I executed the sync(1) command before signaling
auditd to roll over (ie execute /bin/kill -s USR1 pid) the error
SOMETIMES did not appear.
 
So I am a little bit lost.
 
I believe that the actual effect is just
- the cost of two additional lines in /var/log/messages
- the loss a few logs
 
My actual process is to
a. roll over the log file
b. run an ausearch --interpret like command
 
Perhaps my alternative is to modify my ausearch-like command to be state
full and have it process only new events as per a patch I made to
ausearch some time back

        Subject: 	[PATCH] ausearch: Add checkpoint capability and have
        incomplete logs carry forward when processing multiple audit.log
        files
        Date: 	05/11/2013 03:59:34 PM


Am open to any suggestions ... I think the key issue is that I reduced
the generated commends into audit.log from 7500 to 600 per five minute
interval but I still see the error.

Rgds
> On Monday, November 04, 2013 07:46:18 PM Burn Alting wrote:
> > Hi,
> > 
> > I have some quite busy hosts, that emit the following errors when I
> > request the audit log file is rolled over (via a kill -s USR1
> > auditdpid).
> > 
> >   Error receiving audit netlink packet(No buffer space available)
> >   Error sending signal_info request (No buffer space available)
> > 
> > >From reading earlier posts (circa 2009) it would appear my options are
> > 
> > a. Increase backlog buffer (currently 32768)
> > b. Increase priority_boost (currently 4)
> > c. Reduce the number of log files (currently 9)
> 
> Another corollary to this is that you can increase the file size and decrease 
> the total files which would help on rotation. 
> 
> 
> > Does anyone have a feel for which of the above should offer the best
> > return?
> 
> There are 2 more options:
> 
> 1) Review the rules to make sure you are not getting events that you really do 
> not need. If you have a lot of false positives, then you might add some 
> arguments that better narrow the results. For example, perhaps you have this 
> rule:
> 
> -a always,exit -F arch=b64 -S clock_settime -k time-change
> 
> This can give a lot of false positives. The one that really matters is when a 
> program sets CLOCK_REALTIME (the wall clock). So, the rule can be re-written 
> as:
> 
> -a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change
> 
> which narrows its scope.
> 
> 2) You might experiment with cgroups.
> 
> 
> > Are their other configuration parameters I could adjust (aside from
> > changing my ruleset in audit.rules)?
> 
> There might be general disk tuning parameters in sysctl that could help as 
> well. Choice of file system also has performance impacts. I haven't done any 
> experimenting on the performance side, but I know there are people here that 
> also have very busy systems.
> 
> -Steve

More information about the Linux-audit mailing list