Backlog exceeded when using audisp

Steve Grubb sgrubb at redhat.com
Thu Aug 14 12:50:40 UTC 2014 

On Wednesday, August 13, 2014 02:37:52 PM Andy Ruch wrote:
> I'm trying to send the audit logs on a secure RHEL 6.5 system to rsyslog.
> Rsyslog will then send them to another system for centralized collection.

This is fine.

> I can't have audisp send them directly because the connectivity is
> unreliable and rsyslog provides on disk queues for reliable delivery. 

So does auditd. It doesn't lose events unless some limit was exceeded.

> I've activated the syslogplugin of audisp to do the transfer. The problem is
> getting the logs transferred fast enough. The system is configured to panic
> upon error (-f 2), which it does frequently when I do something like update
> the SELinux RPM since watching /etc/selinux is required by the STIG.

A couple of thoughts here. Perhaps you want to have a policy where when you 
update selinux policy, you suspend auditing and then update and then resume. 
Short of that, you'll need to boost the priority and enlarge the queue sizes. 
The panic will only occur on an in-kernel buffer overflow. User space can't do 
that.


> I have the audit buffer size configured to 8192 and the audisp queue set to
> 120. I'm surprised the 8192 buffer is being overwhelmed. When I look at
> aureport for just the time frame of the action, I get approximately 350
> events. I know that each event may have multiple entries, but it is
> interesting that the capacity of a buffer over 20 times bigger is being
> exceeded.

Well, if the auditspd buffer is full and you have lossless buffering, the daemon 
waits until there is room in the queue to continue processing and then the 
kernel buffer backs up. You have to have settings in user space that allow 
auditd to keep the kernel queue as empty as possible.

> 
> Can anyone in a similar situation share any insights? Is there a faster way
> to transfer the logs rather than the audispsyslogplugin? We use to have
> rsyslog monitor the audit.log file but ran into some issues when we started
> dealing with log file rollover. And it just seems cleaner to send the audit
> logs directly.

You can also just load rules via auditctl. The kernel defaults to sending 
events to syslog if auditd is not running.

-Steve

More information about the Linux-audit mailing list