4

After performing a software update, I got hundreds of errors that read like this:

2013-11-11 19:00:00 err user audispd - queue is full - dropping event

Not sure if this is a bug, but it is rapidly filling up my log file at a few lines per second and making it difficult for me to look at other errors. I am already using log rotation to prevent my disc from filling up. Is there any way I can further refine the rsyslog configuration by excluding duplicated errors like this?

jirib
  • 1,240
  • 8
  • 15
Question Overflow
  • 2,103
  • 7
  • 30
  • 45

1 Answers1

5

Putting that error (without the datetime) into google and following the first link and the response it gets leads to reading the audispd and audispd.conf man pages, the latter contains this useful information

q_depth This is a numeric value that tells how big to make the internal queue of the audit event dis- patcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 80.

So read the manpages, and increase the queue depth.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • 1
    Thanks, but this is like transferring the problem back to the audit log. My `q_depth` is already at 120. There is no recommendation on the optimal value for this and I couldn't be increasing it whenever I have this problem. I am looking for a solution to drop the duplicate messages. And I think I just got [one](http://www.rsyslog.com/doc/rsconf1_repeatedmsgreduction.html). – Question Overflow Nov 15 '13 at 12:37
  • @QuestionOverflow: That's not solving the real problem it's putting a band aid in place. The real problem is your queue length is too small and needs to be increased so doing anything else (especially when there is an easy fix) is doing it wrong. – user9517 Nov 15 '13 at 12:53
  • Umm, but the problem that is causing my audit log to be overwhelmed is also due to an error that keeps duplicating itself every second `2013-11-11 19:00:00 err user setroubleshoot - SELinux is preventing /usr/sbin/abrtd from write access on the sock_file socket.` This bug is exactly the same as what is found [here](https://bugzilla.redhat.com/show_bug.cgi?id=1024924). – Question Overflow Nov 15 '13 at 12:57
  • @QuestionOverflow: That bug report also contains an easy to implement fix for that problem. – user9517 Nov 15 '13 at 13:00
  • Yes, I know, but I am not really comfortable generating a local policy whenever there is a bug which I don't really understand. Is generating a policy for this really the right way to do things or just a quick fix? – Question Overflow Nov 15 '13 at 13:03
  • @QuestionOverflow: You have to make that assessment yourself on a case by case basis but note that a fix which allows this action has been pushed into the relevant source repository so it will come downstream in due course. – user9517 Nov 15 '13 at 13:17