Accounting audit messages dropped from kernel
Steve Grubb
sgrubb at redhat.com
Fri Dec 12 16:31:00 UTC 2014
On Thursday, December 11, 2014 05:12:03 PM Kangkook Jee wrote:
> Hi, all
>
> I'm running a customized user-level audit client and getting the following
> messages from /var/log/kern.log every now and then. The message seems like
> that it is dropping audit messages due to buffer limitations.
I wouldn't say, due to buffer limitations. Its because your client is not
reading fast enough. 102400 should be plenty of buffers. By contrast, I
recommend 8192 for busy systems using auditd.
> Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700
> callbacks suppressed
> Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit:
audit_backlog=102401 > audit_backlog_limit=102400
> Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit:
> audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400
> What I want to know more from this is that how many messages we are missing.
> For this, can I simply refer audit_lost field?
Probably.
> or I also need to consider the value from " callbacks suppressed" line?
I cannot find that in any kernel code I have.
-Steve
More information about the Linux-audit
mailing list