On Tue, 2009-08-18 at 09:02 -0400, David Flatley wrote: > When I do "service auditd rotate" I am getting in > the /var/log/messages the following: > > Error receiving audit netlink packet (No buffer space available) > Error sending signal_info request (No buffer space available) > > At the same time I am running a regression test that is generating 20 > meg audit logs every six to eight minutes. > > Is this a concern? > > David Flatley >
David, What I believe is happening is that you are generating an abnormal amount of audit data in your regression test. That's OK, but I think when you do the rotate the auditd suspends disk writes while it waits for the rotate to complete. IIRC, the rotate starts with the highest number log, rolls it to the next higher number. Then it decrements the counter and repeats. So log.13->log.14, then log.12->log.13, etc., and eventually moves audit.log to audit.log.1. Then a new audit.log is created and the flow resumes. While this happens, you are stacking up events from the kernel and eventually run out of space. On some machines where the log files are in the hundreds (I had around 300) I have seen the rotate take an appreciable amount of time. So you are probably dropping events when you get the above messages and I guess that is for you to decide if you are concerned about this for the duration of the test. This sounds like an instance of where you know that some application will generate huge amounts of AVC data you do not want to see in the logs, and ideally you would block those events with a rule. However, last week I believe, Steve noted that under the current kernel code (and probably auditctl rules) you cannot selectively exclude AVCs. LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
