VMcore analysis on "Kernel panic - not syncing: audit: backlog limit exceeded" and audit messages.

Solution Verified - Updated -

Issue

  • System crashed with the following call traces.
crash> log
[..]
audit: audit_backlog=8193 > audit_backlog_limit=8192
audit: audit_backlog=8193 > audit_backlog_limit=8192
audit: audit_lost=1 audit_rate_limit=0 audit_backlog_limit=8192
Kernel panic - not syncing: audit: backlog limit exceeded

Pid: 2105, comm: telegraf Not tainted 2.6.32-754.3.5.el6.x86_64 #1
Call Trace:
 [<ffffffff81558237>] ? panic+0xa7/0x18b
 [<ffffffff8108183e>] ? vprintk_default+0xe/0x10
 [<ffffffff810e969d>] ? audit_panic+0x3d/0x70
 [<ffffffff810e970e>] ? audit_log_lost+0x3e/0xd0
 [<ffffffff810ea42f>] ? audit_log_start+0x20f/0x490
 [<ffffffff81070890>] ? default_wake_function+0x0/0x20
 [<ffffffff810f1a87>] ? audit_log_exit+0xc7/0xd50
 [<ffffffff810f036b>] ? audit_filter_rules+0x10b/0xd80
 [<ffffffff810f1073>] ? audit_filter_syscall+0x93/0xf0
 [<ffffffff810f2db1>] ? __audit_syscall_exit+0x281/0x290
 [<ffffffff8156453b>] ? sysret_audit+0x17/0x21
[..]

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • auditd

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In