3

I have some Linux servers that are getting errors like the below in the logs...

auditd[1074]: Error receiving audit netlink packet (No buffer space available)

I know HOW to resolve the issue (tweak the audit buffer setting in audit.rules), but I'm wondering WHAT is the impact of this?

Am I actually losing auditd events in the blog? Is it failing to write the events when it runs out of buffer space?

I have been Googling, but I haven't found a concrete answer.

Improve this question

1 Answer 1

Reset to default
2

You could try increasing auditd's buffer size. In rhel 8 is would be in/etc/audit/rules.d/audit.rules

Improve this answer
1
  • 1
    In the end, this is what I wound up doing. I've been tuning this on a per-server basis. Commented Oct 13, 2023 at 14:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.