[systemd-devel] Systemd Journald and audit logging causing journal issues
Brad Zynda
bradley.v.zynda at nasa.gov
Mon Oct 2 17:14:57 UTC 2017
Thanks for pointing me in the right direction, as soon as I am moderator
allowed for the audit mailing list I will present the question to them.
Did you want to see the response from them?
Thanks,
Brad
On 10/02/2017 11:40 AM, Lennart Poettering wrote:
> On Mo, 02.10.17 11:25, Brad Zynda (bradley.v.zynda at nasa.gov) wrote:
>
>> Sep 28 13:50:03 server systemd-journal[565]: Suppressed 73244 messages
>> from /system.slice/auditd.service
>
> The question is: why does auditd even log to the journal?
>
>> Now we are required to have full audit rules and does this look like at
>> rate limiting issue or an issue of journal not able to handle the
>> traffic to logging?
>
> journald detected that it got flooded with too many messages in too
> short a time from auditd. if this happens then something is almost
> certainly off with auditd, as auditd is not supposed to flood journald
> with messages, after all it maintains its own auditing log database.
>
> Please ping the auditd folks for help
>
> Lennart
>
More information about the systemd-devel
mailing list