audit_set_backlog_limit - Linux

Overview

audit_set_backlog_limit manages the system audit backlog limit, which determines the maximum number of unprocessed audit events the kernel can store. This limit helps prevent the system from becoming overwhelmed with unprocessed audit data.

Syntax

audit_set_backlog_limit [<backlog_limit>]

Options/Flags

• backlog_limit: The maximum number of unprocessed audit events to store. The default value is 512. Specify a value of -1 to disable the backlog limit.

Examples

• To view the current backlog limit:

$ audit_set_backlog_limit

• To set the backlog limit to 1024:

$ audit_set_backlog_limit 1024

• To disable the backlog limit:

$ audit_set_backlog_limit -1

Common Issues

• Kernel panic: Increasing the backlog limit too high can lead to a kernel panic if the system is unable to process the audit events quickly enough.

Integration

• Combine with auditctl to configure audit rules and set the backlog limit for specific rules.
• Use in scripts or systemd unit files to automatically manage the backlog limit based on system load or other criteria.

Related Commands

• auditctl: Configures audit rules.
• ausearch: Searches audit logs.
• aureport: Generates audit reports.