Symptom Description:
Linux SSH cannot be pinged, and an error message audit: Backlog limit exceeded is displayed on the login page
audit:backlog limit exceeded
audit:backlog limit exceeded
audit:backlog limit exceeded
audit:backlog limit exceeded
audit:backlog limit exceeded
audit:backlog limit exceeded
audit:backlog limit exceeded
audit:backlog limit exceeded
...
Copy the codeCause analysis:
The error is Linux Kernel logs. The cause is that the audit service performs audit events on a busy system, and the buffer bottleneck causes the system to close to crash.
Background:
Audit is a service used to record low-level calls made by users in Linux. The audit service records open and exit system calls made by users and records them in log files. Audit can be added or deleted by using the auditctl command. You can set the audit rule to be logged for a user or for a process.
Main command: auditctl audit rule & system management tool, which is used to obtain status, add and delete monitoring rules Ausearch Query audit log aureport Output audit system reports
Solutions:
You can try to increase the Audit buffer to resolve this problem.
The default memory page size of Linux is 4096 Bytes. You can obtain the page size by running the getconf PAGE_SIZE command, which can be set to N multiples of pages
View help information auditctl -h
View the current default configuration auditctl -s
Backlog_limit 320 # I Centos7.1 default is 320
Optimize the audit service modify the buffer size auditctl -b 8192 if this parameter is not set, the default value is 64Bytes
Setting permanent:
Method 1) Modify the rule configuration
vim /etc/audit/audit.rules
-D
-b 8192
-f 1
Copy the codeParameters: delete all rules set – b – D audit buffer size, if the buffer of full, the kernel will send a fail mark – f [0 | 1 | 2] set audit for the level of error. It’s 0 over 1/2. 0 indicates that logs are not generated. 1: prinTK log; 2 for the top, will output a large number of log information – e [0 | 1] enable/disable audit review
Method 2) Can also be set directly in the bootstrap
chmod u+x /etc/rc.d/rc.local
vim /etc/rc.d/rc.local
auditctl -b 8192
Copy the code