Linux audit “Backlog limit exceeded”

最新推荐文章于 2025-04-16 16:55:22 发布

原创最新推荐文章于 2025-04-16 16:55:22 发布 · 8.5k 阅读

5 ·

CC 4.0 BY-SA版权

linux 专栏收录该内容

4 篇文章

订阅专栏

本文介绍如何解决Linux系统中出现的“Backlog limit exceeded”错误，通过调整审计日志缓冲区大小来缓解该问题，并提供了一般性的建议。

Linux audit “Backlog limit exceeded”

If you’re running a busy Linux system, you may see the following error in your Kernel logs:

audit: backlog limit exceeded

For example:

messages may write to your console output like this

To alleviate the message output in your logs, you can increase the audit buffer.

Edit /etc/audit/rules.d/audit.rules and increase the value for “-b”. For Red Hat Linux 6 and 7 systems, the default value is 320.

[root@k8s-master test]# cat /etc/audit/rules.d/audit.rules 
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

Determining the appropriate value may require some time and experimentation. As a general rule, we suggest doubling the value and then observing it’s affects. It is recommended not to set the value too high, as it may cause increased system resource usage.

Once your value is set, save the file and restart the auditd service.

[root@k8s-master test]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

Please note that the audit: backlog limit exceeded message is a generic message and could be a symptom of a bigger issue (most common, log writing issues due to ext4 file system issues). Further troubleshooting may be necessary.