Re: Auditd errors on busy hosts when rolling over log files

[Steve Grubb <sgrubb@redhat.com>]

On Monday, November 04, 2013 07:46:18 PM Burn Alting wrote:
> Hi,
> 
> I have some quite busy hosts, that emit the following errors when I
> request the audit log file is rolled over (via a kill -s USR1
> auditdpid).
> 
>   Error receiving audit netlink packet(No buffer space available)
>   Error sending signal_info request (No buffer space available)
> 
> >From reading earlier posts (circa 2009) it would appear my options are
> 
> a. Increase backlog buffer (currently 32768)
> b. Increase priority_boost (currently 4)
> c. Reduce the number of log files (currently 9)

Another corollary to this is that you can increase the file size and decrease 
the total files which would help on rotation. 


> Does anyone have a feel for which of the above should offer the best
> return?

There are 2 more options:

1) Review the rules to make sure you are not getting events that you really do 
not need. If you have a lot of false positives, then you might add some 
arguments that better narrow the results. For example, perhaps you have this 
rule:

-a always,exit -F arch=b64 -S clock_settime -k time-change

This can give a lot of false positives. The one that really matters is when a 
program sets CLOCK_REALTIME (the wall clock). So, the rule can be re-written 
as:

-a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change

which narrows its scope.

2) You might experiment with cgroups.


> Are their other configuration parameters I could adjust (aside from
> changing my ruleset in audit.rules)?

There might be general disk tuning parameters in sysctl that could help as 
well. Choice of file system also has performance impacts. I haven't done any 
experimenting on the performance side, but I know there are people here that 
also have very busy systems.

-Steve