From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6C784C433EF for ; Wed, 8 Dec 2021 22:46:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639003580; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=V1oWZvaToSUCgSU0FG5kxcRpG15MNDiyKgq8VFgTDFA=; b=HZPumivQ5ijJPSuvlYWAfEwoWWkzlXTEpf2xWvyx4L+jxPGYK8n/oAf5Ykq0ZVPm9T5H8E ob2RlGQhePaGIKm89Ovd0ZQngsyeK57WhRTdNJlM6qCDmOkveUIATqMpsaYNyFNd9ujY+L p/bCSQ4L4hT1uYA3R+f+i3k/CxL9kfs= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-129-vztub1ghNqWXyHAcAQkHlg-1; Wed, 08 Dec 2021 17:46:16 -0500 X-MC-Unique: vztub1ghNqWXyHAcAQkHlg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4CD3980159F; Wed, 8 Dec 2021 22:46:13 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C997360C82; Wed, 8 Dec 2021 22:46:11 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id B495A4BB7B; Wed, 8 Dec 2021 22:46:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 1B8MiP8e007629 for ; Wed, 8 Dec 2021 17:44:25 -0500 Received: by smtp.corp.redhat.com (Postfix) id 29FAB1F30B; Wed, 8 Dec 2021 22:44:25 +0000 (UTC) Received: from x2.localnet (unknown [10.22.34.63]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9F28F19C59; Wed, 8 Dec 2021 22:44:17 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com, Amjad Gabbar Subject: Re: Maximum Value for q_depth Date: Wed, 08 Dec 2021 17:44:16 -0500 Message-ID: <21289484.EfDdHjke4D@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, On Wednesday, December 8, 2021 4:54:52 PM EST Amjad Gabbar wrote: > 1. The version of auditd is 1:2.8.4-3 and the plugins are af_unix.conf and > syslog.conf for audisp. The q_depth is currently set to 80 and I think it > calls for an increase but not sure if there is a way to figure out what the > proper number would be? There is no good calculation that I can give you. It depends on the average rate of incoming events and the rate that they can be offloaded to the plugins + some margin in case there is a burst. Looking at the 2.8.5 code, the default is 250. https://github.com/linux-audit/audit-userspace/blob/2.8_maintenance/init.d/ audispd.conf So, you should at least set it that high. Maybe a bit higher. > 2. Another thing I would like to follow up on is the difference between > q_depth and backlog_limit. My assumption was if there is any drop due to a > burst of events it would be addressed by the backlog limit. Just would like > some clarification on this and how this is an event dispatcher issue? The backlog limit is inside the kernel. This is the buffer that holds events that are waiting for the audit daemon to offload them. Once the audit daemon has them, it sends it to the dispatcher which also buffers events because not all plugins are able to receive the events as soon as they arrive at the dispatcher. So, for brief bursts, the kernel backlog will handle the load. But once they are pulled out of the kernel, the q_depth controls how much to hold waiting for plugins. If this number needs to increase much, then the plugins are having problems. The syslog plugin should be fine. I'd look more at the af_unix plugin. The client that attaches to it needs to unload events quickly. I'd investigate the af_unix client to see if it's the problem. Cheers, -Steve > On Wed, Dec 1, 2021 at 10:00 AM Steve Grubb wrote: > > Hello, > > > > On Tuesday, November 30, 2021 6:04:28 PM EST Amjad Gabbar wrote: > > > I am currently seeing a lot of auditd dispatch error issues. > > > > What version of auditd and what plugins do you have? > > > > > It is related to a particular keyed rule that from the looks of it is > > > generating close to a million events /day. I have seen previous answers > > > where it was advised to increase the q_depth value to a suitable > > > number. > > > > > > Based on this, I would like to confirm what is the maximum advisable > > > > value > > > > > q_depth can have/take? > > > > Depends on what you are willing to set it to. You can easily go to 64k, > > but > > you really ought to look at the plugins to see why they can't keep up. > > And > > of > > course, are the rules really designed right and you need the million > > events/ > > day? > > > > -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit