From: Andrey Kulikov <andrey.kulikov@corp.mail.ru>
To: linux-audit@redhat.com
Subject: auditd hangs
Date: Tue, 17 May 2016 11:49:05 +0300 [thread overview]
Message-ID: <573ADB01.2020000@corp.mail.ru> (raw)
Hi everyone,
We have several thousands hosts running CentOS 7. Every day auditd stops
writing audit.log on 2-3 of them (different hosts every day). Here is
strace output:
# strace -p 17306
Process 17306 attached
epoll_wait(7, {}, 64, 59743) = 0
epoll_wait(7, {}, 64, 59743) = 0
epoll_wait(7, {}, 64, 59743) = 0
epoll_wait(7, {}, 64, 59743) = 0
epoll_wait(7, {}, 64, 59743) = 0
epoll_wait(7, {}, 64, 59743) = 0
epoll_wait(7, {}, 64, 59743) = 0
epoll_wait(7, 7fb4c3302be0, 64, 59743) = -1 EINTR (Interrupted system call)
--- SIGHUP {si_signo=SIGHUP, si_code=SI_USER, si_pid=2728, si_uid=0} ---
write(8, "\1\0\0\0\0\0\0\0", 8) = 8
rt_sigreturn() = -1 EINTR (Interrupted system call)
epoll_wait(7, {{EPOLLIN, {u32=8, u64=4294967304}}}, 64, 59743) = 1
read(8, "\1\0\0\0\0\0\0\0", 8) = 8
sendto(3, "\20\0\0\0\362\3\5\0\4\0\0\0\0\0\0\0", 16, 0,
{sa_family=AF_NETLINK,
pid=0, groups=00000000}, 12) = 16
poll([{fd=3, events=POLLIN}], 1, 500) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3,
"$\0\0\0\2\0\0\0\4\0\0\0\232C\0\0\0\0\0\0\20\0\0\0\362\3\5\0\4\0\0\0"...,
8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 36
recvfrom(3,
"$\0\0\0\2\0\0\0\4\0\0\0\232C\0\0\0\0\0\0\20\0\0\0\362\3\5\0\4\0\0\0"...,
8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000},
[12]) = 36
epoll_wait(7, {{EPOLLIN, {u32=3, u64=4294967299}}}, 64, 59743) = 1
recvfrom(3,
"N\0\0\0\362\3\0\0\4\0\0\0\232C\0\0\363\3\0\0\217C\0\0unconfin"..., 8988,
MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 80
mmap(NULL, 8392704, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK,
-1, 0) = 0x7fb4be5da000
mprotect(0x7fb4be5da000, 4096, PROT_NONE) = 0
clone(child_stack=0x7fb4bedd9eb0,
flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
parent_tidptr=0x7fb4bedda9d0, tls=0x7fb4bedda700,
child_tidptr=0x7fb4bedda9d0)
= 3014
epoll_wait(7,
... and line "epoll_wait(7," repeated infinitely.
auditd restart helps, but I thint this is a bug. What can be causes of
the problem?
Thanks for your help in advance!
--
Regards,
Andrey Kulikov.
next reply other threads:[~2016-05-17 8:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-17 8:49 Andrey Kulikov [this message]
2016-05-17 17:15 ` auditd hangs Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=573ADB01.2020000@corp.mail.ru \
--to=andrey.kulikov@corp.mail.ru \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox