From mboxrd@z Thu Jan  1 00:00:00 1970
From: Richard Guy Briggs <rgb@redhat.com>
Subject: Re: Accounting audit messages dropped from kernel
Date: Fri, 12 Dec 2014 14:16:47 -0500
Message-ID: <20141212191647.GD29998@madcap2.tricolour.ca>
References: <8274C9A8-F136-4A46-A727-EAF34A4E2D59@gmail.com>
	<3696177.fjQgE5uCXa@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Content-Disposition: inline
In-Reply-To: <3696177.fjQgE5uCXa@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On 14/12/12, Steve Grubb wrote:
> On Thursday, December 11, 2014 05:12:03 PM Kangkook Jee wrote:
> > Hi, all
> > 
> > I'm running a customized user-level audit client and getting the following
> > messages from /var/log/kern.log every now and then. The message seems like
> > that it is dropping audit messages due to buffer limitations.
> 
> I wouldn't say, due to buffer limitations. Its because your client is not 
> reading fast enough. 102400 should be plenty of buffers. By contrast, I 
> recommend 8192 for busy systems using auditd.
> 
> > Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700
> > callbacks suppressed 
> > Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: 
> audit_backlog=102401 > audit_backlog_limit=102400
> > Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit:
> > audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400 
>  
> > What I want to know more from this is that how many messages we are missing.
> > For this, can I simply refer audit_lost field?
> 
> Probably.

Possibly.  Some of these would be printed with printk to kbuf, governed
by the main kernel rate limiter.

Some could get saved by audit_hold_queue and successfully dequeued by
auditd later.

In some recent testing I've been doing with systemd, I find I need at
least 7k buffers to avoid certain types of problems.

> > or I also need to consider the value from " callbacks suppressed" line?
> 
> I cannot find that in any kernel code I have.

That's the printk's rate limiter.

> -Steve

- RGB

--
Richard Guy Briggs <rbriggs@redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545