Error receiving audit reply: no buffer space available

I am having issue with auditbeat service running, but there is no output and some commands are not working. Found this error in syslog:

auditbeat[23346]: 2019-12-03T11:48:38.116Z#011ERROR#011[auditd]#011auditd/audit_linux.go:155#011Failure receiving audit events#011{"error": "failed to set audit PID (current audit PID 0): error receiving audit reply: no buffer space available", "errorVerbose": "no buffer space available\nerror receiving audit reply\*AuditClient).getReply\n\t/home/builder/go/src/\*AuditClient).set\n\t/home/builder/go/src/\*AuditClient).SetPID\n\t/home/builder/go/src/\*MetricSet).initClient\n\t/home/builder/go/src/\*MetricSet).receiveEvents\n\t/home/builder/go/src/\*MetricSet).Run\n\t/home/builder/go/src/\*metricSetWrapper).run\n\t/home/builder/go/src/\*Wrapper).Start.func1\n\t/home/builder/go/src/\nruntime.goexit\n\t/home/builder/agent/_work/_tool/go/1.12.4/x64/src/runtime/asm_amd64.s:1337\nfailed to set audit PID (current audit PID 0)\*MetricSet).initClient\n\t/home/builder/go/src/\*MetricSet).receiveEvents\n\t/home/builder/g

should I set rate_limit and backpressure_strategy ? or what are recommended values ?

thank you

I am facing this issue when I am first stopping auditd running on the server and than starting auditbeat. Looks like it helps if I before auditd stop flush audit rules with auditctl -D but I still don't understand which buffer is overloaded. Do you please know how netlink audit socket buffer works ?
thank you

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.