Why does auditd report "Audit daemon is low on disk space for logging" warning in messages log ?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7

Issue

  • Audtitd reported "Audit daemon is low on disk space for logging" warning in /var/log/messages file.

Resolution

  • The auditd daemon writes "Audit daemon is low on disk space for logging" in messages log file when the log destination filesystem does not have enough free space.

  • Possible solutions is to clear unwanted files from /var file system OR increase the size of /var file system if it is a Logical Vloume.

  • More details:

  • The /etc/audit/auditd.conf contains an option "space_left" and which describes numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is starting to run low on disk space.

  • Also, "space_left_action" in auditd.conf describes what action to take when the system has detected that it is starting to get low on disk space. Valid values are ignore, syslog, email, suspend, single, and halt. If set to ignore, the audit daemon does nothing. syslog means that it will issue a warning to syslog. Email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The single option will cause the audit daemon to put the computer system in single user mode. halt option will cause the audit daemon to shutdown the computer system.

Root Cause

  • The /var file system does not have enough free space.

Diagnostic Steps

  • Corresponding code for this error message:

    if (admin)
     action = config->admin_space_left_action;
     else
     action = config->space_left_action;
     switch (action)
     {
     case FA_IGNORE:
     break;
     case FA_SYSLOG:
     audit_msg(LOG_ALERT,
     "Audit daemon is low on disk space for logging");
     break;

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.