Another question - audit_lost
Erich Schubert
erich.schubert at gmail.com
Tue Feb 22 02:38:09 UTC 2005
Hi,
I set audit_backlog to 1024, and the logging flag to 0 (ignore).
still under heavy load I get:
audit: audit_lost=390 audit_backlog=3 audit_rate_limit=0
audit_backlog_limit=1024
[... other messages ...]
audit: audit_lost=702 audit_backlog=2 audit_rate_limit=0
audit_backlog_limit=1024
audit: audit_lost=703 audit_backlog=1 audit_rate_limit=0
audit_backlog_limit=1024
[... other messages ...]
audit: audit_lost=870 audit_backlog=24 audit_rate_limit=0
audit_backlog_limit=1024
[... more audit_lost messages ...]
audit: audit_lost=892 audit_backlog=2 audit_rate_limit=0
audit_backlog_limit=1024
This is around 30 lost audit events reported to syslog despite I
disabled this, the backlog is high enough and auditd is running (it
gets 102k lines in the first 60 seconds of my system startup)
Greetings,
Erich Schubert
--
erich@(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_
To understand recursion you first need to understand recursion. //\
Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_
eine Stunde wie eine Heimat aus. --- Herrmann Hesse
More information about the Linux-audit
mailing list