Audisp is flooding /var/log/messages and trying to fix it

Comments

I'm upgrading from syslog to rsyslog in order to clean up logging. I've noticed that Audispd was flooding /var/log/messages with the following:

2015-12-23T08:33:46.370297-06:00 ameda4aisrx0238 audisp-remote: queue is full - dropping event

Under /etc/audisp/audispd.conf, I've changed the overflow_action from SYSLOG to SUSPEND, since I don't see a STIG pertaining to it:

q_depth = 2048
overflow_action = SUSPEND
priority_boost = 8
max_restarts = 10
name_format = HOSTNAME
#name = mydomain

That seemed to fix it for about 1 minute and then it was back to what it was.

I've read that q_depth could be increased to handle this since the logging can't keep up. The man page doesn't have a recommendation for a size or a best practice, so I'm wondering what would be a good number to set it to or see what others have done to fix this.

thanks

I'm wondering what

Started 2015-12-23T14:44:09+00:00 by

Christopher Miller

Expert 1215 points

Select Your Language

Audisp is flooding /var/log/messages and trying to fix it

Responses

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Responses

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links