On Tue, Feb 28, 2023 at 5:53 AM Anurag Aggarwal <anurag19aggar...@gmail.com> wrote: > Hello All, > > The current rate limiter, audit_set_rate_limit limits all types of events. In > our case, we want to limit auditd events with a specific key, as they are > very noisy and consume very high CPU. > > From my understanding, this support is currently missing in AuditD. > > Is my understanding correct?
Hello. Limiting of audit records is actually done in the kernel, and currently the rate limit applies equally[1] to all records, there is no ability to enforce limits per-key. If you have a particular audit rule which is too verbose *and* you are willing to lose audit records from that filter rule (which is what would happen if they were rate limited), you might want to consider making that audit filter rule more targeted to the event you are interested in logging. Generating more audit records than you want to see can be a sign of an overly general audit rule. Good luck! [1] Audit records generated by auditd/auditctl are exempt from rate limiting to help prevent lockups/contention. -- paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit