LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   audit: backlog limit exceeded (https://www.linuxquestions.org/questions/linux-software-2/audit-backlog-limit-exceeded-748079/)

aclhkaclhk 08-17-2009 06:32 AM

audit: backlog limit exceeded
 
using centos 5.1, /var/log/message shown

audit: audit_backlog=321 > audit_backlog_limit=320 audit: audit_lost=1704 audit_rate_limit=0 audit_backlog_limit=320 audit: backlog limit exceeded audit: audit_backlog=321 > audit_backlog_limit=320 audit: audit_lost=1705 audit_rate_limit=0 audit_backlog_limit=320 audit: backlog limit exceeded audit: audit_backlog=321 > audit_backlog_limit=320 audit: audit_lost=1706 audit_rate_limit=0 audit_backlog_limit=320 audit: backlog limit exceeded

#aureport --start today --event --summary -i
553 cred_acq
552 login
552 user_acct
551 user_start
509 cred_disp
509 user_END
2 user_login
2 user_auth
1 cred_refr

pls advise what is flooding the auditd?

unSpawn 08-17-2009 07:17 AM

Quote:

Originally Posted by aclhkaclhk (Post 3646275)
pls advise what is flooding the auditd?

cred_.* / login / user_.* could point to cronjob probs but your output doesn't show. Might want to use rate limiting (say "-r 21000") and increase the buffer (say "-b $[320*2]" in /etc/audit/audit.rules (use 'auditctl').


All times are GMT -5. The time now is 08:39 AM.