Auditbeat "reassembler_seq_gaps":8589934603

Hello,
I have in auditbeat info messages very high value for reassembler_seq_gaps
here is one example:
auditbeat[560]: 2019-07-17T09:30:18.707Z INFO [monitoring] log/log.go:145 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"auditd":{"reassembler_seq_gaps":8589934603,"received_msgs":16327}}

Do you please know why is this value so high ? In other messages is around 3 or 4
I am worried if I am losing some messages ?

thank you

I don't think reassembler_seq_gaps is a reliable metric. There's a better metric called kernel_lost that's based on the kernel's lost metric. And there is a userspace_lost metric. Look for those as indicators that messages were dropped.

{"monitoring": {"metrics": {"auditd":{"kernel_lost":3494

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.