Error receiving audit reply: no buffer space available

vaclav · December 3, 2019, 3:12pm

Hello,
I am having issue with auditbeat service running, but there is no output and some commands are not working. Found this error in syslog:

auditbeat[23346]: 2019-12-03T11:48:38.116Z#011ERROR#011[auditd]#011auditd/audit_linux.go:155#011Failure receiving audit events#011{"error": "failed to set audit PID (current audit PID 0): error receiving audit reply: no buffer space available", "errorVerbose": "no buffer space available\nerror receiving audit reply\ngithub.com/elastic/beats/vendor/github.com/elastic/go-libaudit.(*AuditClient).getReply\n\t/home/builder/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-libaudit/audit.go:474\ngithub.com/elastic/beats/vendor/github.com/elastic/go-libaudit.(*AuditClient).set\n\t/home/builder/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-libaudit/audit.go:513\ngithub.com/elastic/beats/vendor/github.com/elastic/go-libaudit.(*AuditClient).SetPID\n\t/home/builder/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-libaudit/audit.go:318\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).initClient\n\t/home/builder/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:344\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).receiveEvents\n\t/home/builder/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:372\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).Run\n\t/home/builder/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:152\ngithub.com/elastic/beats/metricbeat/mb/module.(*metricSetWrapper).run\n\t/home/builder/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:196\ngithub.com/elastic/beats/metricbeat/mb/module.(*Wrapper).Start.func1\n\t/home/builder/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:140\nruntime.goexit\n\t/home/builder/agent/_work/_tool/go/1.12.4/x64/src/runtime/asm_amd64.s:1337\nfailed to set audit PID (current audit PID 0)\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).initClient\n\t/home/builder/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:348\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).receiveEvents\n\t/home/builder/g

should I set rate_limit and backpressure_strategy ? or what are recommended values ?

thank you

vaclav · December 9, 2019, 9:28am

I am facing this issue when I am first stopping auditd running on the server and than starting auditbeat. Looks like it helps if I before auditd stop flush audit rules with auditctl -D but I still don't understand which buffer is overloaded. Do you please know how netlink audit socket buffer works ?
thank you

system · December 30, 2019, 9:28am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.