From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Ricardo Robaina <rrobaina@redhat.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
eparis@redhat.com
Subject: Re: [PATCH] audit: add backlog high water mark metric
Date: Thu, 16 Apr 2026 16:33:42 -0400 [thread overview]
Message-ID: <2620823.XAFRqVoOGU@x2> (raw)
In-Reply-To: <CAHC9VhTN+vjkSSjtfFegC9cEAcGAonYY9sNk_84_nJwLay1wwg@mail.gmail.com>
On Wednesday, April 15, 2026 11:21:52 AM Eastern Daylight Time Paul Moore
wrote:
> On Wed, Apr 15, 2026 at 11:19 AM Paul Moore <paul@paul-moore.com> wrote:
> > On Tue, Apr 14, 2026 at 11:45 PM Steve Grubb <sgrubb@redhat.com> wrote:
> > > On Friday, April 10, 2026 5:34:08 PM Eastern Daylight Time Paul Moore
wrote:
> > > > On Mon, Mar 23, 2026 at 11:07 AM Ricardo Robaina
> > > > <rrobaina@redhat.com>
> > >
> > > wrote:
> > ...
> >
> > > ... compliance-driven systems that must use a finite backlog limit for
> > > memory safety but cannot tolerate dropped events ...>
> > You must pick one of those two requirements, or at the very least
> > prioritize them; it is simply impossible to both limit the backlog
> > queue and require zero dropped events.
>
> To be perfectly honest, it's also impossible to require zero dropped
> events. Even in the most extreme configurations where the admin
> decides to panic the system, that only happens once the system reaches
> the point where it is dropping events. We try *really* hard to not
> drop events, but it is always going to be a possibility.
You're helping make the point. Those administrators have decided reliable
auditing is more important than system availability. backlog_max_depth gives
them the one thing they currently lack: advance warning. If the high-water
mark is consistently approaching the backlog limit, they have actionable
information to raise the limit, reduce audit rule coverage, or address the
underlying load - before the system goes down. These are exactly the users
who would benefit the most from this metric.
-Steve
next prev parent reply other threads:[~2026-04-16 20:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-23 15:07 [PATCH] audit: add backlog high water mark metric Ricardo Robaina
2026-03-23 16:48 ` Steve Grubb
2026-04-10 21:34 ` Paul Moore
2026-04-15 3:45 ` Steve Grubb
2026-04-15 15:19 ` Paul Moore
2026-04-15 15:21 ` Paul Moore
2026-04-16 20:33 ` Steve Grubb [this message]
2026-04-16 20:51 ` Paul Moore
2026-04-16 20:58 ` Paul Moore
2026-04-17 13:02 ` Ricardo Robaina
2026-05-12 15:54 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2620823.XAFRqVoOGU@x2 \
--to=sgrubb@redhat.com \
--cc=audit@vger.kernel.org \
--cc=eparis@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rrobaina@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.