My audispd keeps logging lots of queue full errors.
Jun 9 08:46:29 web audispd: queue is full - dropping event
I'd like to understand better why the queue is filling up and whether there is a better way to resolve the problem than continually increasing the q_depth (currently up to 300). My thoughts are that I shouldn't be seeing so many messages that the queue can't be processed. So, how do I find out what is in the queue and why it isn't being flushed out? (There shouldn't be many events, it's a very quiet web server)
See this thread, which includes a response from the
auditdmaintainer. It's not super informative, but it gives some good hints.I did as suggested, and set
priority_boost = 8, which seems to have fixed the issues for me.The manpages for audispd.conf and audisp-remote.conf seem to suggest that
queue_depthis the more correct parameter to adjust. However, you noted that this wasn't working for you.I don't understand well what
priority_boostdoes, but I assume it prevents audit events from being queued to begin with, or at least from spending so much time in the queue. So there's less chance of the queue becoming full.There doesn't appear to be much guidance on how to set these parameters, it's just a matter of tuning them until they work.