auditd reports "Error receiving audit netlink packet (No buffer space available)" and/or system reboots on its own

Solution Verified - Updated -

Issue

  • auditd reports Error receiving audit netlink packet (No buffer space available) repeatedly after auditd log rotation or when applying a large yum update

    Dec 29 11:10:33 myrhel8 auditd[719779]: Error receiving audit netlink packet (No buffer space available)
Dec 29 11:10:34 myrhel8 auditd[719779]: Error receiving audit netlink packet (No buffer space available)
Dec 29 11:10:34 myrhel8 auditd[719779]: Error receiving audit netlink packet (No buffer space available)
Dec 29 11:10:35 myrhel8 auditd[719779]: Error receiving audit netlink packet (No buffer space available)
Dec 29 11:10:40 myrhel8 auditd[719779]: Error receiving audit netlink packet (No buffer space available)
Dec 29 11:10:40 myrhel8 auditd[719779]: Error receiving audit netlink packet (No buffer space available)
Dec 29 11:10:40 myrhel8 auditd[719779]: Error receiving audit netlink packet (No buffer space available)

    But NO backlog limit exceeded messages like this:

    kernel: audit: audit_backlog=65537 > audit_backlog_limit=65536
kernel: audit: audit_lost=126533574 audit_rate_limit=0 audit_backlog_limit=65536

    (This case is described in 'kernel: audit: backlog limit exceeded' messages in /var/log/messages)

  • System automatically panics when auditd is configured with -f 2 parameter in its rules

    # grep -- "-f 2" /etc/audit/audit.rules 
-f 2

  • No third party kernel module is installed

Environment

  • Red Hat Enterprise Linux 8, 9 and 10
    • auditd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content