Backlog exceeded when using audisp
Andy Ruch
adruch2002 at yahoo.com
Thu Aug 14 20:12:19 UTC 2014
> On Wednesday, August 13, 2014 02:37:52 PM Andy Ruch wrote:
> > I'm trying to send the audit logs on a secure RHEL 6.5 system to rsyslog.
> > Rsyslog will then send them to another system for centralized collection.
>
> This is fine.
>
> > I can't have audisp send them directly because the connectivity is
> > unreliable and rsyslog provides on disk queues for reliable delivery.
>
> So does auditd. It doesn't lose events unless some limit was exceeded.
>
> > I've activated the syslogplugin of audisp to do the transfer. The problem is
> > getting the logs transferred fast enough. The system is configured to panic
> > upon error (-f 2), which it does frequently when I do something like update
> > the SELinux RPM since watching /etc/selinux is required by the STIG.
>
> A couple of thoughts here. Perhaps you want to have a policy where when you
> update selinux policy, you suspend auditing and then update and then resume.
> Short of that, you'll need to boost the priority and enlarge the queue sizes.
> The panic will only occur on an in-kernel buffer overflow. User space can't do
> that.
>
> > I have the audit buffer size configured to 8192 and the audisp queue set to
> > 120. I'm surprised the 8192 buffer is being overwhelmed. When I look at
> > aureport for just the time frame of the action, I get approximately 350
> > events. I know that each event may have multiple entries, but it is
> > interesting that the capacity of a buffer over 20 times bigger is being
> > exceeded.
>
> Well, if the auditspd buffer is full and you have lossless buffering, the daemon
> waits until there is room in the queue to continue processing and then the
> kernel buffer backs up. You have to have settings in user space that allow
> auditd to keep the kernel queue as empty as possible.
>
> >
> > Can anyone in a similar situation share any insights? Is there a faster way
> > to transfer the logs rather than the audispsyslogplugin? We use to have
> > rsyslog monitor the audit.log file but ran into some issues when we started
> > dealing with log file rollover. And it just seems cleaner to send the audit
> > logs directly.
>
> You can also just load rules via auditctl. The kernel defaults to sending
> events to syslog if auditd is not running.
>
> -Steve
Upon further testing, I think there might be something else as the root cause. For my testing, I'm adding an selinux user (semanage user -a ...). This will trigger a load_policy command for SELinux. When everything works fine, auditd processes roughly 2000 events and audisp handles this with no problems. However, sometimes when I run the command, auditd will receive over 15000 events. As far as I can tell, the extra events are all SELinux error events stating "selinux_audit_rule_match: stale rule". What would cause this and why does it not happen every time? Is this an audit issue or an SELinux issue?
More information about the Linux-audit
mailing list