Auditbeat lost events

KevinShi · August 2, 2023, 11:32am

My auditbeat drop all events when it start a minutes. And auditbeat status info:

Aug 02 19:11:51  auditbeat[29357]: 2023-08-02T19:11:51.440+0800        INFO        [auditd]        auditd/audit_linux.go:286        audit status from kernel at start        {"audit_status": {"Mask":0,"Enabled":1,"Failure":0,"PID":0,"RateLimit":5000,"BacklogLimit":8192,"Lost":2139,"Backlog":0,"FeatureBitmap":61,"BacklogWaitTime":0}}
Aug 02 19:11:51  auditbeat[29357]: 2023-08-02T19:11:51.440+0800        WARN        [auditd]        auditd/audit_linux.go:316        setting backlog wait time is not supported in this kernel. Enabling workaround.

My test 7.9.3 7.13.4 7.16.3,but problem still exist!
And configure add queue.spool, problem still.

queue.spool:
  file:
    path: "${path.data}/spool.dat"
    size: 512MiB
    page_size: 16KiB
  write:
    buffer_size: 10MiB
    flush.timeout: 5s
    flush.events: 1024

Help me, Thanks!

KevinShi · August 2, 2023, 11:34am

My kernel is 3.10

uname -r
3.10.0-1127.19.1.el7.x86_64

system · August 30, 2023, 1:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.