Why does auditd report "Audit daemon is low on disk space for logging" warning in messages log ?
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Issue
audtitddaemon reported "Audit daemon is low on disk space for logging" warning in/var/log/messages file.
Resolution
There are different options to overcome this situation:
- Clear unwanted files from
/varto recover free space. - Increase the size of
/varfile system. - The
/etc/audit/auditd.confconfiguration file contains thespace_leftoption which describes numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space. Checkauditd.confman page for more information on possible actions and their behavior.
Root Cause
- The
/varfile system does not have enough free space. - The auditd daemon writes "Audit daemon is low on disk space for logging" in messages log file when the log destination file system does not have enough free space.
Diagnostic Steps
-
Corresponding code for this error message:
if (admin) action = config->admin_space_left_action; else action = config->space_left_action; switch (action) { case FA_IGNORE: break; case FA_SYSLOG: audit_msg(LOG_ALERT, "Audit daemon is low on disk space for logging"); break;
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments