Fwd: Maximum Value for q_depth

[Amjad Gabbar]

1. The version of auditd is 1:2.8.4-3 and the plugins are af_unix.conf and
syslog.conf for audisp. The q_depth is currently set to 80 and I think it
calls for an increase but not sure if there is a way to figure out what the
proper number would be?

2. Another thing I would like to follow up on is the difference between
q_depth and backlog_limit. My assumption was if there is any drop due to a
burst of events it would be addressed by the backlog limit. Just would like
some clarification on this and how this is an event dispatcher issue?

Thanks
Amjad

On Wed, Dec 1, 2021 at 10:00 AM Steve Grubb <sgrubb at redhat.com> wrote:

> Hello,
>
> On Tuesday, November 30, 2021 6:04:28 PM EST Amjad Gabbar wrote:
> > I am currently seeing a lot of auditd dispatch error issues.
>
> What version of auditd and what plugins do you have?




>
> > It is related to a particular keyed rule that from the looks of it is
> > generating close to a million events /day. I have seen previous answers
> > where it was advised to increase the q_depth value to a suitable number.
> >
> > Based on this, I would like to confirm what is the maximum advisable
> value
> > q_depth can have/take?
>
> Depends on what you are willing to set it to. You can easily go to 64k,
> but
> you really ought to look at the plugins to see why they can't keep up. And
> of
> course, are the rules really designed right and you need the million
> events/
> day?
>
> -Steve
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20211208/e268268c/attachment.htm>