Maximum Value for q_depth

Steve Grubb sgrubb at redhat.com
Wed Dec 8 22:44:16 UTC 2021 

Hello,

On Wednesday, December 8, 2021 4:54:52 PM EST Amjad Gabbar wrote:
> 1. The version of auditd is 1:2.8.4-3 and the plugins are af_unix.conf and
> syslog.conf for audisp. The q_depth is currently set to 80 and I think it
> calls for an increase but not sure if there is a way to figure out what the
> proper number would be?

There is no good calculation that I can give you. It depends on the average 
rate of incoming events and the rate that they can be offloaded to the plugins 
+ some margin in case there is a burst. Looking at the 2.8.5 code, the 
default is 250.

https://github.com/linux-audit/audit-userspace/blob/2.8_maintenance/init.d/
audispd.conf

So, you should at least set it that high. Maybe a bit higher.


> 2. Another thing I would like to follow up on is the difference between
> q_depth and backlog_limit. My assumption was if there is any drop due to a
> burst of events it would be addressed by the backlog limit. Just would like
> some clarification on this and how this is an event dispatcher issue?

The backlog limit is inside the kernel. This is the buffer that holds events 
that are waiting for the audit daemon to offload them. Once the audit daemon 
has them, it sends it to the dispatcher which also buffers events because not 
all plugins are able to receive the events as soon as they arrive at the 
dispatcher.

So, for brief bursts, the kernel backlog will handle the load. But once they 
are pulled out of the kernel, the q_depth controls how much to hold waiting 
for plugins. If this number needs to increase much, then the plugins are 
having problems. The syslog plugin should be fine. I'd look more at the 
af_unix plugin. The client that attaches to it needs to unload events 
quickly. I'd investigate the af_unix client to see if it's the problem.

Cheers,
-Steve
 

> On Wed, Dec 1, 2021 at 10:00 AM Steve Grubb <sgrubb at redhat.com> wrote:
> > Hello,
> > 
> > On Tuesday, November 30, 2021 6:04:28 PM EST Amjad Gabbar wrote:
> > > I am currently seeing a lot of auditd dispatch error issues.
> > 
> > What version of auditd and what plugins do you have?
> > 
> > > It is related to a particular keyed rule that from the looks of it is
> > > generating close to a million events /day. I have seen previous answers
> > > where it was advised to increase the q_depth value to a suitable
> > > number.
> > > 
> > > Based on this, I would like to confirm what is the maximum advisable
> > 
> > value
> > 
> > > q_depth can have/take?
> > 
> > Depends on what you are willing to set it to. You can easily go to 64k,
> > but
> > you really ought to look at the plugins to see why they can't keep up.
> > And
> > of
> > course, are the rules really designed right and you need the million
> > events/
> > day?
> > 
> > -Steve

More information about the Linux-audit mailing list