[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Attempting to deal with " audispd: queue is full - dropping event" messages



All:
 
I’m getting several hundred of these each day on my servers. I’m using remote logging to a central sever via the audisp-remote plugin.
I’ve seen recommendations to up the following setting in audispd.conf to help minimize these errors:
 
priority_boost = 8
 
This seems to raise the priority of the audispd daemon, but I’m also using audisp-remote to a central log servers. This setting doesn’t seem to effect the priority of the remote plugin, as evidenced for the following output from the top command:
 
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
13498 root      11  -4 10096  844  684 S  0.0  0.0   0:00.01 audisp-remote
13497 root       3 -12 16268  768  624 S  0.0  0.0   0:00.00 audispd
13495 root      11  -4 27352  868  588 S  0.0  0.0   0:00.00 auditd
 
For the priority boost to be fully effective wouldn’t it have to apply to the plugins as well?  Is there a way to boost priority on audisp-remote? If not, should there be a way to do this or should it be automatic?
 
Also are there any other settings that can be made to minimize/eliminate dropped events from audispd? I’m curious about the following:
 
 
How do these two relate to each other, should they be the same, or some specific ratio… etc?
 
Thanks in advance for any suggestions on this.
 
Best Regards,
 
Jim Richard
 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]