audit_backlog_limit messages
David Woodhouse
dwmw2 at infradead.org
Wed Jun 29 23:11:31 UTC 2005
On Wed, 2005-06-29 at 17:53 -0500, Debora Velarde wrote:
> (decided it was best to move this discussion to the list)
You have been asked before _not_ to send HTML mail.
> We're hitting a system hang that repeatedly displays this to the terminal:
> audit: audit_backlog=258 > audit_backlog_limit=256
> audit: audit_lost=58 audit_rate_limit=0 audit_backlog_limit=256
> audit: audit_backlog_limit exceeded
As discussed, the system isn't hung; it's just going slowly because
every auditable action is waiting 1 minute for space on the backlog
queue. In fact from Steve's reports it looks like auditd itself is
getting audited again -- I'm not sure how. I wasn't able to reproduce it
using Steve's method; I'll try yours first thing in the morning.
I'll do a kernel that reverts to immediate failure after audit_panic()
has been called, to prevent the appearance of a 'hang'. But for the
purposes of our own testing, we generally shouldn't be getting into a
situation where audit_panic() is called in the first place.
--
dwmw2
More information about the Linux-audit
mailing list