Auditd service failed with the following error "auditd[XXX]: num_logs must be 999 or less "

Solution Verified - Updated -

Issue

  • Audit service is not starting due to the following errorauditd[XXX]: num_logs must be 999 or less
* auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2022-03-15 16:37:17 CET; 1min 45s ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 2275 ExecStart=/sbin/auditd (code=exited, status=6)

Mar 15 16:37:16  systemd[1]: Starting Security Auditing Service...
Mar 15 16:37:17  systemd[1]: auditd.service: control process exited, code=exited status=6
Mar 15 16:37:17  systemd[1]: Failed to start Security Auditing Service.
Mar 15 16:37:17  systemd[1]: Unit auditd.service entered failed state.
Mar 15 16:37:17  systemd[1]: auditd.service failed.
  • journalctl -u auditd
Mar 15 08:32:43  auditd[28352]: num_logs must be 999 or less  <--------- [1]
Mar 15 08:32:43 auditd[28352]: The audit daemon is exiting.
Mar 15 08:32:43  systemd[1]: auditd.service: control process exited, code=exited status=6
Mar 15 08:32:43 systemd[1]: Failed to start Security Auditing Service.
-- Subject: Unit auditd.service has failed

Environment

  • Red Hat Enterprise Linux 7(RHEL)
  • auditd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content