From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Accounting audit messages dropped from kernel Date: Fri, 12 Dec 2014 11:31 -0500 Message-ID: <3696177.fjQgE5uCXa@x2> References: <8274C9A8-F136-4A46-A727-EAF34A4E2D59@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <8274C9A8-F136-4A46-A727-EAF34A4E2D59@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, December 11, 2014 05:12:03 PM Kangkook Jee wrote: > Hi, all > > I'm running a customized user-level audit client and getting the following > messages from /var/log/kern.log every now and then. The message seems like > that it is dropping audit messages due to buffer limitations. I wouldn't say, due to buffer limitations. Its because your client is not reading fast enough. 102400 should be plenty of buffers. By contrast, I recommend 8192 for busy systems using auditd. > Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700 > callbacks suppressed > Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: audit_backlog=102401 > audit_backlog_limit=102400 > Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit: > audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400 > What I want to know more from this is that how many messages we are missing. > For this, can I simply refer audit_lost field? Probably. > or I also need to consider the value from " callbacks suppressed" line? I cannot find that in any kernel code I have. -Steve