why I have lost messages on boot even with very big backlog while I hunting only 2 syscalls?
Paul Moore
paul at paul-moore.com
Mon Oct 2 14:16:21 UTC 2017
On Sat, Sep 30, 2017 at 10:03 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> Maybe adjust your freq from 20 to maybe 50. Other than that, I don't know of
> any other user space tricks to improve the flow rate. Maybe Paul or Richard
> has ideas. I see you have a 4.8 kernel. I think I remember there being some
> netlink comm issues prior to 4.12.
Sorry for the delay in responding, I was doing a bit of traveling.
I would suggest trying a newer kernel if possible. Starting with
v4.10 and continuing up through v4.13 there was substantial work done
that would affect the audit backlog and kernel/auditd connection; if
you can try a v4.13 Linux kernel I would highly recommend it.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list