Hi, I have some quite busy hosts, that emit the following errors when I request the audit log file is rolled over (via a kill -s USR1 auditdpid).
Error receiving audit netlink packet(No buffer space available) Error sending signal_info request (No buffer space available) >From reading earlier posts (circa 2009) it would appear my options are a. Increase backlog buffer (currently 32768) b. Increase priority_boost (currently 4) c. Reduce the number of log files (currently 9) Does anyone have a feel for which of the above should offer the best return? Are their other configuration parameters I could adjust (aside from changing my ruleset in audit.rules)? Thanks in advance Burn -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
