From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-audit-bounces@redhat.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id B1415C433EF
	for <linux-audit@archiver.kernel.org>; Wed,  1 Dec 2021 16:05:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1638374703;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=1eFGtF1nXQIpfIGfU4Xb/J1bv1YEZwMQIUOagaeKQyo=;
	b=J+nUEBCOGX5OSI23+4OtFIEyJ/SUtOboBA3DamVbTgmQQVuKeHysKG6T6vYEAIHZR2wHYY
	DGHHoe1BqkKN0kJ6ZIt/FSPgbtSJDra+QGSg9hjiQ6lwkSzsn7NHBTPbDA3y0tcdeg4jba
	wUQkBenEBssJByHvHLTxlzWeuYfX4lk=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-579-QIidzSFlMtyGd-9ZmajCdQ-1; Wed, 01 Dec 2021 11:04:59 -0500
X-MC-Unique: QIidzSFlMtyGd-9ZmajCdQ-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5671681EE61;
	Wed,  1 Dec 2021 16:04:55 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6528660C7F;
	Wed,  1 Dec 2021 16:04:54 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 49ACE1809C89;
	Wed,  1 Dec 2021 16:04:52 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
	[10.5.11.12])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 1B1G0WkX012566 for <linux-audit@listman.util.phx.redhat.com>;
	Wed, 1 Dec 2021 11:00:32 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 6C3C260C4A; Wed,  1 Dec 2021 16:00:32 +0000 (UTC)
Received: from x2.localnet (unknown [10.22.9.217])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 195AD60C05;
	Wed,  1 Dec 2021 16:00:31 +0000 (UTC)
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Maximum Value for q_depth
Date: Wed, 01 Dec 2021 11:00:31 -0500
Message-ID: <11881180.O9o76ZdvQC@x2>
Organization: Red Hat
In-Reply-To: <CAJcJf=Q1RzmA_ETCO-Dd=LSjAXZteM+75N+cK5G1WLHFhmjv2Q@mail.gmail.com>
References: <CAJcJf=Q1RzmA_ETCO-Dd=LSjAXZteM+75N+cK5G1WLHFhmjv2Q@mail.gmail.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-loop: linux-audit@redhat.com
Cc: Amjad Gabbar <amjadgabbar11@gmail.com>
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,

On Tuesday, November 30, 2021 6:04:28 PM EST Amjad Gabbar wrote:
> I am currently seeing a lot of auditd dispatch error issues.

What version of auditd and what plugins do you have?

> It is related to a particular keyed rule that from the looks of it is
> generating close to a million events /day. I have seen previous answers
> where it was advised to increase the q_depth value to a suitable number.
> 
> Based on this, I would like to confirm what is the maximum advisable value
> q_depth can have/take?

Depends on what you are willing to set it to. You can easily go to 64k, but 
you really ought to look at the plugins to see why they can't keep up. And of 
course, are the rules really designed right and you need the million events/
day?

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit