Hi, all I'm running a customized user-level audit client and getting the following messages from /var/log/kern.log every now and then. The message seems like that it is dropping audit messages due to buffer limitations.
Dec 11 21:46:56 hostname-10 kernel: [2081500.871616] audit_log_start: 109700 callbacks suppressed Dec 11 21:46:56 hostname-10 kernel: [2081500.871620] audit: audit_backlog=102401 > audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871622] audit: audit_lost=-295739022 audit_rate_limit=0 audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871623] audit: backlog limit exceeded Dec 11 21:46:56 hostname-10 kernel: [2081500.871646] audit: audit_backlog=102401 > audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871647] audit: audit_lost=-295739021 audit_rate_limit=0 audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871648] audit: backlog limit exceeded Dec 11 21:46:56 hostname-10 kernel: [2081500.871657] audit: audit_backlog=102401 > audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871659] audit: audit_lost=-295739020 audit_rate_limit=0 audit_backlog_limit=102400 Dec 11 21:46:56 hostname-10 kernel: [2081500.871660] audit: backlog limit exceeded Dec 11 21:46:56 hostname-10 kernel: [2081500.871665] audit: audit_backlog=102401 > audit_backlog_limit=102400 What I want to know more from this is that how many messages we are missing. For this, can I simply refer audit_lost field? or I also need to consider the value from " callbacks suppressed" line? If anyone can help with this it will be very helpful. Regards, Kangkook -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
