lost events on boot
Lenny Bruzenak
lenny at magitekltd.com
Tue Dec 8 15:09:09 UTC 2020
On 12/7/20 5:56 PM, Richard Guy Briggs wrote:
>> The kernel is supplying the serial number (right?), so is it
>> discarding the events without assigning a serial number?
> Yes, the kernel assigns the serial numbers. Sometimes. Some buffers
> never get allocated and therefore no serial number assigned due to full
> queues or memory pressure. Other buffers get dropped when queues are
> full and there is no choice but to drop a message. This is true before
> and after Paul's queue re-write.
>
>> * Do I have something wrong with my kernel boot parameters?
> Not likely. From what you have described above it sounds like you have
> done what you can.
>
>> I'd have thought that 8k buffers would be enough, and certainly if I only
>> have 515 events, should be. Unless, each record inside the event is adding.
> If your kernel command line is larger than your lost count and your
> serial number when you check it after boot, you should be in good shape.
>
>> I also then counted each record, not just events, and got around 1600, so
>> I'd have thought that even multi-record events would have fit. I guess that
>> depends on the buffer size.
> Good thinking, and you are correct. That backlog limit may need to be
> increased for more recent kernels since there are more events caught and
> some events have more records.
>
>> Appreciate the help in advance; thanks.
> I hope this helps.
>
Yes, it does help. Thanks Richard!
LCB
--
Lenny Bruzenak
MagitekLTD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20201208/81147451/attachment.htm>
More information about the Linux-audit
mailing list