lost events on boot
Lenny Bruzenak
lenny at magitekltd.com
Mon Dec 7 23:28:53 UTC 2020
Apologies if this has been answered. I searched and found some
relevant-looking dialog 2 years ago (on 12/14/2018) that Paul/RGB/Ondrej
were discussing, however I do not see the answer.
I'm running userspace 2.8.5 , kernel 3.10.0-1160.
I have boot parameters "audit=1 ... audit_backlog_limit=8192" .
Immediately after boot, I use "auditctl -s and see hundreds (varies,
between 119-330) of lost records.
So I cleaned out all the audit data, rebooted again and examined the events.
They are numbered sequentially 1-515. I counted the events and they
match (515).
So my questions are these:
* Is this "lost" value accurate?
* If the numbering doesn't indicate any gaps, what does that tell me?
The kernel is supplying the serial number (right?), so is it
discarding the events without assigning a serial number?
* Do I have something wrong with my kernel boot parameters?
I'd have thought that 8k buffers would be enough, and certainly if I
only have 515 events, should be. Unless, each record inside the event is
adding. I also then counted each record, not just events, and got around
1600, so I'd have thought that even multi-record events would have fit.
I guess that depends on the buffer size.
Appreciate the help in advance; thanks.
LCB
--
Lenny Bruzenak
MagitekLTD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20201207/00c0d8f1/attachment.htm>
More information about the Linux-audit
mailing list