Otdfbt

Explicit direct #include vs. Non-contractual transitive #include

Why do you need to heat the pan before heating the olive oil?

How can Caller ID be faked?

How useful is the GRE Exam?

What is this plant I saw for sale at a Romanian farmer's market?

What kind of chart is this?

How can the US president give an order to a civilian?

How can this shape perfectly cover a cube?

Have Steve Rogers (Captain America) and a young Erik Lehnsherr (Magneto) interacted during WWII?

Why is gun control associated with the socially liberal Democratic party?

I have found ports on my Samsung smart tv running a display service. What can I do with it?

In windows systems, is renaming files functionally similar to deleting them?

What are the mechanical differences between Adapt and Monstrosity?

How could I create a situation in which a PC has to make a saving throw or be forced to pet a dog?

How can I detect if I'm in a subshell?

Time at 1G acceleration to travel 100000 light years

Co-worker is now managing my team. Does this mean that I'm being demoted?

How to know whether to write accidentals as sharps or flats?

Digital signature that is only verifiable by one specific person

What is the context for Napoleon's quote "[the Austrians] did not know the value of five minutes"?

Print the phrase "And she said, 'But that's his.'" using only the alphabet

Is the infant mortality rate among African-American babies in Youngstown, Ohio greater than that of babies in Iran?

Do my partner and son need an SSN to be dependents on my taxes?

How do I run a script as sudo at boot time on Ubuntu 18.04 Server?

Why is audispd dropping events? What is in the queue?

Why is my mail stuck in the queue with the status “retry” in Exchange 2003?How do I permanently delete e-mail messages in the sendmail queue and keep them from coming back?Exim queue in WHMRunning task queue on server?Is it possible to maintain the queue while restarting HAProxyWill Ubuntu automatically queue hundreds of processes?suppress audit events from a specific userHow to prevent logging USER_AUTH and USER_LOGIN events with auditdWhy does auditd only log `echo` when I use the absolute path?How to configure auditd to record all the activity from events which run with WinSCP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

My audispd keeps logging lots of queue full errors.

 Jun 9 08:46:29 web audispd: queue is full - dropping event

I'd like to understand better why the queue is filling up and whether there is a better way to resolve the problem than continually increasing the q_depth (currently up to 300). My thoughts are that I shouldn't be seeing so many messages that the queue can't be processed. So, how do I find out what is in the queue and why it isn't being flushed out?
(There shouldn't be many events, it's a very quiet web server)

queue auditd

share|improve this question

asked Jun 9 '15 at 9:53

user126785user126785

61117

add a comment | 

2

My audispd keeps logging lots of queue full errors.

 Jun 9 08:46:29 web audispd: queue is full - dropping event

I'd like to understand better why the queue is filling up and whether there is a better way to resolve the problem than continually increasing the q_depth (currently up to 300). My thoughts are that I shouldn't be seeing so many messages that the queue can't be processed. So, how do I find out what is in the queue and why it isn't being flushed out?
(There shouldn't be many events, it's a very quiet web server)

queue auditd

share|improve this question

asked Jun 9 '15 at 9:53

user126785user126785

61117

add a comment | 

My audispd keeps logging lots of queue full errors.

 Jun 9 08:46:29 web audispd: queue is full - dropping event

I'd like to understand better why the queue is filling up and whether there is a better way to resolve the problem than continually increasing the q_depth (currently up to 300). My thoughts are that I shouldn't be seeing so many messages that the queue can't be processed. So, how do I find out what is in the queue and why it isn't being flushed out?
(There shouldn't be many events, it's a very quiet web server)

queue auditd

share|improve this question

asked Jun 9 '15 at 9:53

user126785user126785

61117

 Jun 9 08:46:29 web audispd: queue is full - dropping event

share|improve this question

asked Jun 9 '15 at 9:53

user126785user126785

61117

share|improve this question

asked Jun 9 '15 at 9:53

user126785user126785

61117

asked Jun 9 '15 at 9:53

user126785user126785

61117

asked Jun 9 '15 at 9:53

user126785user126785

61117

1 Answer
1

active

oldest

votes

0

See this thread, which includes a response from the auditd maintainer. It's not super informative, but it gives some good hints.

I did as suggested, and set priority_boost = 8, which seems to have fixed the issues for me.

The manpages for audispd.conf and audisp-remote.conf seem to suggest that queue_depth is the more correct parameter to adjust. However, you noted that this wasn't working for you.

I don't understand well what priority_boost does, but I assume it prevents audit events from being queued to begin with, or at least from spending so much time in the queue. So there's less chance of the queue becoming full.

There doesn't appear to be much guidance on how to set these parameters, it's just a matter of tuning them until they work.

share|improve this answer

edited Nov 16 '17 at 17:50

answered Nov 16 '17 at 17:16

orodbhenorodbhen

1116

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f697587%2fwhy-is-audispd-dropping-events-what-is-in-the-queue%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

See this thread, which includes a response from the auditd maintainer. It's not super informative, but it gives some good hints.

I did as suggested, and set priority_boost = 8, which seems to have fixed the issues for me.

The manpages for audispd.conf and audisp-remote.conf seem to suggest that queue_depth is the more correct parameter to adjust. However, you noted that this wasn't working for you.

I don't understand well what priority_boost does, but I assume it prevents audit events from being queued to begin with, or at least from spending so much time in the queue. So there's less chance of the queue becoming full.

There doesn't appear to be much guidance on how to set these parameters, it's just a matter of tuning them until they work.

share|improve this answer

edited Nov 16 '17 at 17:50

answered Nov 16 '17 at 17:16

orodbhenorodbhen

1116

add a comment | 

0

See this thread, which includes a response from the auditd maintainer. It's not super informative, but it gives some good hints.

I did as suggested, and set priority_boost = 8, which seems to have fixed the issues for me.

The manpages for audispd.conf and audisp-remote.conf seem to suggest that queue_depth is the more correct parameter to adjust. However, you noted that this wasn't working for you.

I don't understand well what priority_boost does, but I assume it prevents audit events from being queued to begin with, or at least from spending so much time in the queue. So there's less chance of the queue becoming full.

There doesn't appear to be much guidance on how to set these parameters, it's just a matter of tuning them until they work.

share|improve this answer

edited Nov 16 '17 at 17:50

answered Nov 16 '17 at 17:16

orodbhenorodbhen

1116

add a comment | 

See this thread, which includes a response from the auditd maintainer. It's not super informative, but it gives some good hints.

I did as suggested, and set priority_boost = 8, which seems to have fixed the issues for me.

The manpages for audispd.conf and audisp-remote.conf seem to suggest that queue_depth is the more correct parameter to adjust. However, you noted that this wasn't working for you.

I don't understand well what priority_boost does, but I assume it prevents audit events from being queued to begin with, or at least from spending so much time in the queue. So there's less chance of the queue becoming full.

There doesn't appear to be much guidance on how to set these parameters, it's just a matter of tuning them until they work.

share|improve this answer

edited Nov 16 '17 at 17:50

answered Nov 16 '17 at 17:16

orodbhenorodbhen

1116

share|improve this answer

edited Nov 16 '17 at 17:50

answered Nov 16 '17 at 17:16

orodbhenorodbhen

1116

answered Nov 16 '17 at 17:16

orodbhenorodbhen

1116

answered Nov 16 '17 at 17:16

orodbhenorodbhen

1116