Re: Accounting audit messages dropped from kernel

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Accounting audit messages dropped from kernel
Date: Fri, 12 Dec 2014 11:31 -0500	[thread overview]
Message-ID: <3696177.fjQgE5uCXa@x2> (raw)
In-Reply-To: <8274C9A8-F136-4A46-A727-EAF34A4E2D59@gmail.com>

On Thursday, December 11, 2014 05:12:03 PM Kangkook Jee wrote:
> Hi, all
> 
> I'm running a customized user-level audit client and getting the following
> messages from /var/log/kern.log every now and then. The message seems like
> that it is dropping audit messages due to buffer limitations.

I wouldn't say, due to buffer limitations. Its because your client is not 
reading fast enough. 102400 should be plenty of buffers. By contrast, I 
recommend 8192 for busy systems using auditd.

> Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700
> callbacks suppressed 
> Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: 
audit_backlog=102401 > audit_backlog_limit=102400
> Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit:
> audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400 
 
> What I want to know more from this is that how many messages we are missing.
> For this, can I simply refer audit_lost field?

Probably.

> or I also need to consider the value from " callbacks suppressed" line?

I cannot find that in any kernel code I have.

-Steve

next prev parent reply	other threads:[~2014-12-12 16:31 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-11 22:12 Accounting audit messages dropped from kernel Kangkook Jee
2014-12-12 16:31 ` Steve Grubb [this message]
2014-12-12 19:16   ` Richard Guy Briggs

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3696177.fjQgE5uCXa@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox