[systemd-devel] Systemd Journald and audit logging causing journal issues

[Lennart Poettering]

On Mo, 02.10.17 11:25, Brad Zynda (bradley.v.zynda at nasa.gov) wrote:

> Sep 28 13:50:03 server systemd-journal[565]: Suppressed 73244 messages
> from /system.slice/auditd.service

The question is: why does auditd even log to the journal? 

> Now we are required to have full audit rules and does this look like at
> rate limiting issue or an issue of journal not able to handle the
> traffic to logging?

journald detected that it got flooded with too many messages in too
short a time from auditd. if this happens then something is almost
certainly off with auditd, as auditd is not supposed to flood journald
with messages, after all it maintains its own auditing log database.

Please ping the auditd folks for help

Lennart

-- 
Lennart Poettering, Red Hat