audit: kauditd hold queue overflow
Recently, I came across a few servers, running Rocky Linux 8, that had consoles flooded with the following message:
[root@build01 ~]# dmesg | grep overflow [ 0.289646] audit: kauditd hold queue overflow [ 0.364107] audit: kauditd hold queue overflow
Apparently, there is a backlog limit for audit messages. This limit specifies queue size for unprocessed events intended for auditd. In this particular case, the limit was too low. This can be fixed by turning off auditd. But then, there is most likely a reason, why the daemon is on in the first place. Alternatively, the backlog queue limit can be increased.
To do so, in /etc/default/grub edit line starting with GRUB_CMDLINE_LINUX…:
... GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="audit=1 audit_backlog_limit=8192 ipv6.disable=1 crashkernel=auto resume=/dev/mapper/system-swap rd.lvm.lv=system/root rd.lvm.lv=system/swap rhgb quiet" GRUB_DISABLE_RECOVERY="true" ...
… and add audit_backlog_limit=8192, thus forcing the new hold queue size. After that GRUB configuration needs to be rebuilt:
[root@build01 ~]# grub2-mkconfig -o /boot/grub2/grub.cfg [root@build01 ~]#
That should do it.