audit_set_backlog_wait_time - Linux


audit_set_backlog_wait_time controls how long the audit system waits for the queue of pending events to drain when the queue is full. If the limit is reached and this timeout expires, the audit system drops pending events and logs a warning to the audit log.


audit_set_backlog_wait_time [time_microseconds]


  • time_microseconds: (Default: 90000000) The wait time, in microseconds, that the audit system should wait for the queue of pending events to drain before dropping events.


Setting the backlog wait time

audit_set_backlog_wait_time 120000000

Getting the current backlog wait time

To get the current backlog wait time, omit the [time_microseconds] argument:


Common Issues

One common issue is performance problems when the backlog wait time is set too high. If the backlog wait time is too high, the audit system may not be able to keep up with the incoming events, leading to significant performance issues.


audit_set_backlog_wait_time can be used in conjunction with other audit commands, such as auditctl and ausearch, to manage and monitor the audit system.

Related Commands

  • auditctl: Configures the audit system.
  • ausearch: Searches the audit log.