From: Kangkook Jee <aixer77@gmail.com>
To: linux-audit@redhat.com
Subject: Accounting audit messages dropped from kernel
Date: Thu, 11 Dec 2014 17:12:03 -0500 [thread overview]
Message-ID: <8274C9A8-F136-4A46-A727-EAF34A4E2D59@gmail.com> (raw)
Hi, all
I'm running a customized user-level audit client and getting the following messages from /var/log/kern.log every now and then.
The message seems like that it is dropping audit messages due to buffer limitations.
Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700 callbacks suppressed
Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit: audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871623] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871646] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871647] audit: audit_lost=-295739021 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871648] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871657] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871659] audit: audit_lost=-295739020 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871660] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871665] audit: audit_backlog=102401 > audit_backlog_limit=102400
What I want to know more from this is that how many messages we are missing.
For this, can I simply refer audit_lost field? or I also need to consider the value from " callbacks suppressed" line?
If anyone can help with this it will be very helpful.
Regards, Kangkook
next reply other threads:[~2014-12-11 22:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-11 22:12 Kangkook Jee [this message]
2014-12-12 16:31 ` Accounting audit messages dropped from kernel Steve Grubb
2014-12-12 19:16 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8274C9A8-F136-4A46-A727-EAF34A4E2D59@gmail.com \
--to=aixer77@gmail.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox