From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kangkook Jee <aixer77@gmail.com>
Subject: Accounting audit messages dropped from kernel
Date: Thu, 11 Dec 2014 17:12:03 -0500
Message-ID: <8274C9A8-F136-4A46-A727-EAF34A4E2D59@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com
	[10.5.110.16])
	by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id sBBMI1RL019093
	for <linux-audit@redhat.com>; Thu, 11 Dec 2014 17:18:01 -0500
Received: from mail-qa0-f41.google.com (mail-qa0-f41.google.com
	[209.85.216.41])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sBBMI0xo019174
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL)
	for <linux-audit@redhat.com>; Thu, 11 Dec 2014 17:18:00 -0500
Received: by mail-qa0-f41.google.com with SMTP id f12so4382847qad.14
	for <linux-audit@redhat.com>; Thu, 11 Dec 2014 14:18:00 -0800 (PST)
Received: from am14-mac3.nec-labs.com ([138.15.165.52])
	by mx.google.com with ESMTPSA id i32sm2275489qgf.12.2014.12.11.14.12.04
	for <linux-audit@redhat.com>
	(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Thu, 11 Dec 2014 14:12:04 -0800 (PST)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi, all

I'm running a customized user-level audit client and getting the following messages from /var/log/kern.log every now and then. 
The message seems like that it is dropping audit messages due to buffer limitations. 


Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700 callbacks suppressed
Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit: audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871623] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871646] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871647] audit: audit_lost=-295739021 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871648] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871657] audit: audit_backlog=102401 > audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871659] audit: audit_lost=-295739020 audit_rate_limit=0 audit_backlog_limit=102400
Dec 11 21:46:56 hostname-10 kernel: [2081500.871660] audit: backlog limit exceeded
Dec 11 21:46:56 hostname-10 kernel: [2081500.871665] audit: audit_backlog=102401 > audit_backlog_limit=102400

What I want to know more from this is that how many messages we are missing. 
For this, can I simply refer audit_lost field? or I also need to consider the value from " callbacks suppressed" line?

If anyone can help with this it will be very helpful.

Regards, Kangkook