[systemd-devel] Quiesce audit message flood from 218

Lennart Poettering lennart at poettering.net
Mon Dec 29 05:22:46 PST 2014

On Sun, 28.12.14 12:45, Martin Pitt (martin.pitt at ubuntu.com) wrote:

> Hello all,
> systemd 218 now enables audit in the kernel unconditionally [1]. While
> these messages might be nice to have in the journal, they literally
> flood dmesg and thus /var/log/syslog and friends with messages like
> [39098.129349] audit: type=1105 audit(1419765421.403:4233): pid=25633 uid=0 auid=0 ses=20 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
> $ dmesg |grep -c audit
> 786
> and more importantly, eats a lot of real kernel/daemon messages due to
> rate limiting: I have many dozen messages like
>   [37444.978307] audit_printk_skb: 222 callbacks suppressed
> and they demonstrably cause e. g. AppArmor violations to not get shown
> due to this.
> Is there a way to make the audit messages *only* go to the journal,
> but not to dmesg and sysloggers? If not, could we perhaps add a
> ./configure or config file option for this, to disable audit on
> systems where we don't need it?

This is a known limitation of the in-kernel audit code, and is being
tracked here. Needs to be fixed in the kernel.


Fix should be easy enough, but so far nobody looked into this yet.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list