0
[root@rock:/var/log/audit] : service auditd status
Redirecting to /bin/systemctl status auditd.service
  auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2021-01-11 08:24:35 EST; 51min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 94529 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 94513 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 94515 (auditd)
   CGroup: /system.slice/auditd.service
           +-94515 /sbin/auditd
           +-94517 /sbin/audispd
           +-94519 /usr/sbin/sedispatch

Jan 11 08:24:35 rock augenrules[94529]: lost 4892
Jan 11 08:24:35 rock augenrules[94529]: backlog 0
Jan 11 08:24:35 rock augenrules[94529]: enabled 1
Jan 11 08:24:35 rock augenrules[94529]: failure 1
Jan 11 08:24:35 rock augenrules[94529]: pid 94515
Jan 11 08:24:35 rock augenrules[94529]: rate_limit 0
Jan 11 08:24:35 rock augenrules[94529]: backlog_limit 1048576
Jan 11 08:24:35 rock augenrules[94529]: lost 4892
Jan 11 08:24:35 rock augenrules[94529]: backlog 0
Jan 11 08:24:35 rock systemd[1]: Started Security Auditing Service.

In RHEL 7.9 when using auditd I believe I have everything working well but when I do the above I see lost 4892

what does that lost value mean? Is it bad? Should I want that to be zero?

For reference below is my /etc/audit/auditd.conf

#
# This file controls the configuration of the audit daemon
#

local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = RAW

flush = INCREMENTAL_ASYNC freq = 100

max log file size in MB, does not matter with KEEP_LOGS

max_log_file = 10000

max_log_file_action = KEEP_LOGS

no log rotation

num_logs = 0 priority_boost = 0

admin_space_left_action = SINGLE disk_full_action = SINGLE disk_error_action = SINGLE

disp_qos = LOSSLESS dispatcher = /sbin/audispd name_format = HOSTNAME

space_left = 500 admin_space_left = 300

space_left_action = email verify_email = yes action_mail_acct = root

use_libwrap = yes ##tcp_listen_port = 60 tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no

ron
  • 6,575

1 Answers1

0

Newbie here using audit, according to the man page of auditctl when using the -s option:

-s Report the kernel's audit subsystem status. It will tell you the in-kernel values that can be set by -e, -f, -r, and -b options. The pid value is the process number of the audit daemon. Note that a pid of 0 indicates that the audit daemon is not running. The lost entry will tell you how many event records that have been discarded due to the kernel audit queue overflowing. The backlog field tells how many event records are currently queued waiting for auditd to read them. This option can be followed by the -i to get a couple fields interpreted.

The part that talks about lost value is in bold.

mcmx
  • 121