[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: audit_backlog_limit messages

On Wed, 2005-06-29 at 17:53 -0500, Debora Velarde wrote:
> (decided it was best to move this discussion to the list)

You have been asked before _not_ to send HTML mail.

> We're hitting a system hang that repeatedly displays this to the terminal:
> audit: audit_backlog=258 > audit_backlog_limit=256
> audit: audit_lost=58 audit_rate_limit=0 audit_backlog_limit=256
> audit: audit_backlog_limit exceeded

As discussed, the system isn't hung; it's just going slowly because
every auditable action is waiting 1 minute for space on the backlog
queue. In fact from Steve's reports it looks like auditd itself is
getting audited again -- I'm not sure how. I wasn't able to reproduce it
using Steve's method; I'll try yours first thing in the morning.

I'll do a kernel that reverts to immediate failure after audit_panic()
has been called, to prevent the appearance of a 'hang'. But for the
purposes of our own testing, we generally shouldn't be getting into a
situation where audit_panic() is called in the first place.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]