On Monday, November 04, 2013 07:46:18 PM Burn Alting wrote: > Hi, > > I have some quite busy hosts, that emit the following errors when I > request the audit log file is rolled over (via a kill -s USR1 > auditdpid). > > Error receiving audit netlink packet(No buffer space available) > Error sending signal_info request (No buffer space available) > > >From reading earlier posts (circa 2009) it would appear my options are > > a. Increase backlog buffer (currently 32768) > b. Increase priority_boost (currently 4) > c. Reduce the number of log files (currently 9)
Another corollary to this is that you can increase the file size and decrease the total files which would help on rotation. > Does anyone have a feel for which of the above should offer the best > return? There are 2 more options: 1) Review the rules to make sure you are not getting events that you really do not need. If you have a lot of false positives, then you might add some arguments that better narrow the results. For example, perhaps you have this rule: -a always,exit -F arch=b64 -S clock_settime -k time-change This can give a lot of false positives. The one that really matters is when a program sets CLOCK_REALTIME (the wall clock). So, the rule can be re-written as: -a always,exit -F arch=b64 -S clock_settime -F a0=0 -k time-change which narrows its scope. 2) You might experiment with cgroups. > Are their other configuration parameters I could adjust (aside from > changing my ruleset in audit.rules)? There might be general disk tuning parameters in sysctl that could help as well. Choice of file system also has performance impacts. I haven't done any experimenting on the performance side, but I know there are people here that also have very busy systems. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
