I had the same issue and answered by Steve Grubb <sgr...@redhat.com> you may increase net.core.rmem_default
## In short. The default netlink buffer is set by this sysctl: # sysctl net.core.rmem_default net.core.rmem_default = 212992 200k should be plenty to hold a 9k netlink packet at the most. 2024년 1월 2일 (화) 오후 5:35, <anurag19aggar...@gmail.com>님이 작성: > > Hello All, > > We use an auditd plugin to monitor system calls like socket, connect etc. > This plugin read data from audit netlink socket and converts into a internal > format. > > Recently we are noticing that on some distributions like Oracle 9, Kernel > Version: 5.15.0-100.96.32.el9uek.x86_64, our plugin is not coming up. > > We see the below log in the output of "systemctl status auditd" command: > Error receiving audit netlink packet (No buffer space available) > > I have tried to increase the q_depth, and backlog limit of auditd, but still > hitting this error. > > Any suggestions or help? > > Regards > Anurag > _______________________________________________ > Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io > To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
