auditctl buffer setting - how large is this?
The backlog option limits the number of messages that can be queued up waiting to be written to the log. So the unit of the backlog option isn't bytes or connections, but rather 'number of audit messages'.
Choosing a sane value for this setting depends entirely on your system. I'd recommend starting out with the default and increasing it as needed. If you exceed the backlog limit, then you will see the message audit: backlog limit exceeded
in your logs.
The backlog queue is stored in memory so increasing the backlog limit will increase memory consumption as the queue grows. Each message is typically just under 9000 bytes. You don't want the backlog limit too low, but you also do not want to set an insanely high value that could eat up a significant portion of your system memory.
Related videos on Youtube
Comments
-
drew over 1 year
Within the default
audit.rules
file on CentOS 5, 6 and 7, the following is set:# Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320
However, there is no mention of what unit the provided number is.
The man page for
auditctl
is not clear:OPTIONS -b backlog Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
I've seen recommendations for this value that encompass a huge range of possible numbers (320, 8192, all the way up to 32768 and beyond).
I want to make sure that the value I'm setting is sane and that I'm not merely covering the tracks of an inefficient
audit.rules
file.Is there some sort of implied size of a kernel / audit buffer? What would the recommendation be here?