I'm upgrading from syslog to rsyslog in order to clean up logging. I've noticed that Audispd was flooding /var/log/messages with the following:
2015-12-23T08:33:46.370297-06:00 ameda4aisrx0238 audisp-remote: queue is full - dropping event
Under /etc/audisp/audispd.conf, I've changed the overflow_action from SYSLOG to SUSPEND, since I don't see a STIG pertaining to it:
q_depth = 2048 overflow_action = SUSPEND priority_boost = 8 max_restarts = 10 name_format = HOSTNAME #name = mydomain
That seemed to fix it for about 1 minute and then it was back to what it was.
I've read that q_depth could be increased to handle this since the logging can't keep up. The man page doesn't have a recommendation for a size or a best practice, so I'm wondering what would be a good number to set it to or see what others have done to fix this.
I'm wondering what