I have some Linux servers that are getting errors like the below in the logs...
auditd[1074]: Error receiving audit netlink packet (No buffer space available)
I know HOW to resolve the issue (tweak the audit buffer setting in audit.rules), but I'm wondering WHAT is the impact of this?
Am I actually losing auditd events in the blog? Is it failing to write the events when it runs out of buffer space?
I have been Googling, but I haven't found a concrete answer.
You could try increasing auditd's buffer size. In rhel 8 is would be in/etc/audit/rules.d/audit.rules