Le 09/07/17 à 21:58, Salvatore Bonaccorso a écrit :Hi,Hi Unconfirmed, but the behaviour you are seen might be related to the changes which went in in 4.11 around 264d509637d95f9404e52ced5003ad352e0f6a26 . https://git.kernel.org/linus/264d509637d95f9404e52ced5003ad352e0f6a26 I posted on the linux-audit mailing list and I get the following reply from Paul Moore: On Mon, Jul 10, 2017 at 10:59 AM, Laurent Bigonville <bigon@debian.org> wrote:Hi, With 4.11.6 (that has been uploaded in debian unstable) I get a lot of messages in dmesg like [100052.120468] audit: audit_lost=66041 audit_rate_limit=0 audit_backlog_limit=8192 [100052.120470] audit: kauditd hold queue overflow And it also seems that the messages are not stored in auditd logs anymore. https://git.kernel.org/linus/264d509637d95f9404e52ced5003ad352e0f6a26 seems to be included in this release An idea?I'm going to assume that your backlog limit is set to a sane value for your system's configuration, so that leaves me with two commits that may be of interest: * 1df30f8264b8 ("audit: fix the RCU locking for the auditd_connection structure") This was a manual backport of a v4.12 patch to v4.11, looking now, I see it should be in +v4.11.5 so that probably isn't your problem ... * c81be52a3ac0 ("audit: fix a race condition with the auditd tracking code") This patch is relatively new and was just sent up to Linus during the next merge window; it's a race condition fix so reproducing it can be tricky, although it may be easily reproducible on your system at the moment (luck you!). If you aren't in a position to apply the patch, the workaround is rather simple: restart auditd. If none of the above works, let me know, but I strongly suspect you're tripping over the race condition fixed in that last patch. I still should test the last patch he mentioned |