From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Amjad Gabbar <amjadgabbar11@gmail.com>
Subject: Re: Maximum Value for q_depth
Date: Wed, 01 Dec 2021 11:00:31 -0500 [thread overview]
Message-ID: <11881180.O9o76ZdvQC@x2> (raw)
In-Reply-To: <CAJcJf=Q1RzmA_ETCO-Dd=LSjAXZteM+75N+cK5G1WLHFhmjv2Q@mail.gmail.com>
Hello,
On Tuesday, November 30, 2021 6:04:28 PM EST Amjad Gabbar wrote:
> I am currently seeing a lot of auditd dispatch error issues.
What version of auditd and what plugins do you have?
> It is related to a particular keyed rule that from the looks of it is
> generating close to a million events /day. I have seen previous answers
> where it was advised to increase the q_depth value to a suitable number.
>
> Based on this, I would like to confirm what is the maximum advisable value
> q_depth can have/take?
Depends on what you are willing to set it to. You can easily go to 64k, but
you really ought to look at the plugins to see why they can't keep up. And of
course, are the rules really designed right and you need the million events/
day?
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2021-12-01 16:05 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-30 23:04 Maximum Value for q_depth Amjad Gabbar
2021-12-01 16:00 ` Steve Grubb [this message]
[not found] ` <CAJcJf=RM3r1GcgeCof3Xna7Hz94C1Wg9_9YLQTfXd3ozun8CmA@mail.gmail.com>
2021-12-08 21:54 ` Fwd: " Amjad Gabbar
2021-12-08 22:44 ` Steve Grubb
[not found] ` <2165998.iZASKD2KPV@x2>
2021-12-09 4:00 ` Amjad Gabbar
2021-12-09 14:18 ` Steve Grubb
2021-12-21 5:55 ` Amjad Gabbar
2021-12-21 20:39 ` Steve Grubb
2022-01-18 6:36 ` Amjad Gabbar
2022-01-25 20:30 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11881180.O9o76ZdvQC@x2 \
--to=sgrubb@redhat.com \
--cc=amjadgabbar11@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox