Disabling rsyslog rate-limiting just for audit/audispd

[Steve Grubb]

On Thursday, May 18, 2017 2:27:11 PM EDT Stephen Buchanan wrote:
> With the caveat that I am perhaps asking the wrong audience, I'm hoping
> that someone has hit this issue before, and possibly solved it.
> 
> I've set up a number of servers in my environment to forward all audit log
> entries via audispd and rsyslog to a central rsyslog receiver where they
> are parsed and saved. All that is working (audit is sent with LOG_LOCAL6 in
> audispd syslog plugin, "local6.* @@loghost:514" is in rsyslog.conf).
> 
> The problem/question I have is whether it is possible to turn off
> rate-limiting for rsyslog *only for audit traffic*. Leaving aside that I
> need to tune the audit rules better, on heavily loaded servers the rsyslogd
> starts dropping most of the audit traffic due to the rate-limiting
> parameters. I know I can turn it off (or set it much higher) for all
> rsyslog, but is there any way to selectively set the rate limit by either
> source (audispd) or facility (local6)?
> 
> I've just joined the rsyslog mailing list, if I fail here then I'll ask
> there, but I'm afraid that the answer will have something to do with using
> rsyslog v8, and I'm stuck with the RHEL7-provided v7.4.7.

There is a rate limit in the kernel but if its exceeded it consults the 
failure flag which will probably do something bad as an action in addition to 
dropping the event. So, that's not exactly what you want.

I suspect that you want all of your events spooled (rather than dropped) and 
then forwarded at a predetermined rate so as not to flood rsyslog. 
Unfortunately there is nothing like that today for audit events. I think 
you'll need to do something in the rsyslog setting.

-Steve