LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices


Reply
  Search this Thread
Old 05-25-2010, 12:29 AM   #1
asram
LQ Newbie
 
Registered: May 2010
Posts: 3

Rep: Reputation: 0
Question About the Linux Audit Subsystem


In the /var/log/audit/audit.log,lots of message like this :
audit: audit_backlog=321 > audit_backlog_limit=320
audit: audit_lost=1700 audit_rate_limit=0 audit_backlog_limit=320
audit: backlog limit exceeded

Through google, I get the following recommendations:
To lengthen the backlog, edit /etc/audit/audit.rules and change the "-b 320"
to "-b 8192". This will allocate 8192 buffers in the kernel for audit events
instead of 320. If that doesn't do it, bump the priority by
editing /etc/audit/auditd.conf and change "priority_boost = 3"
to "priority_boost = 4" or 5.

Now I want to know the range of this backlog buff.
Usually what we use as a reference to set this value?
Who can help me?Thank you!
 
Old 05-25-2010, 04:07 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
I doubt there's a hard and fast rule for it: just change the value if you find any 'grep 'backlog.limit.exceeded' /var/log/messages'.
 
Old 05-31-2010, 04:08 AM   #3
asram
LQ Newbie
 
Registered: May 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
I doubt there's a hard and fast rule for it: just change the value if you find any 'grep 'backlog.limit.exceeded' /var/log/messages'.
Thank you
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I read the audit time stamp? msg=audit(1213186256.105:20663) abefroman Linux - Software 3 04-21-2011 06:37 PM
error in line 5 of /etc/audit/audit.rules RHEL5u3 abti Red Hat 1 04-06-2010 05:42 PM
LXer: Linux 2.6.29.1 fixes errors in the network subsystem LXer Syndicated Linux News 0 04-04-2009 05:11 PM
LXer: The Future of the Linux SCSI Subsystem LXer Syndicated Linux News 0 11-17-2007 09:10 AM
LXer: Linux: Kernel Graphics Subsystem LXer Syndicated Linux News 0 05-21-2007 07:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat

All times are GMT -5. The time now is 05:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration