Linux audit “Backlog limit exceeded”
If you’re running a busy Linux system, you may see the following error in your Kernel logs:
audit: backlog limit exceeded
For example:
messages may write to your console output like this
To alleviate the message output in your logs, you can increase the audit buffer.
Edit /etc/audit/rules.d/audit.rules
and increase the value for “-b”. For Red Hat Linux 6 and 7 systems, the default value is 320.
[root@k8s-master test]# cat /etc/audit/rules.d/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
Determining the appropriate value may require some time and experimentation. As a general rule, we suggest doubling the value and then observing it’s affects. It is recommended not to set the value too high, as it may cause increased system resource usage.
Once your value is set, save the file and restart the auditd service.
[root@k8s-master test]# service auditd restart
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl start auditd.service
Please note that the audit: backlog limit exceeded
message is a generic message and could be a symptom of a bigger issue (most common, log writing issues due to ext4 file system issues). Further troubleshooting may be necessary.