audit_set_backlog_wait_time - Linux
Overview
audit_set_backlog_wait_time
controls how long the audit system waits for the queue of pending events to drain when the queue is full. If the limit is reached and this timeout expires, the audit system drops pending events and logs a warning to the audit log.
Syntax
audit_set_backlog_wait_time [time_microseconds]
Options/Flags
- time_microseconds: (Default: 90000000) The wait time, in microseconds, that the audit system should wait for the queue of pending events to drain before dropping events.
Examples
Setting the backlog wait time
audit_set_backlog_wait_time 120000000
Getting the current backlog wait time
To get the current backlog wait time, omit the [time_microseconds]
argument:
audit_set_backlog_wait_time
90000000
Common Issues
One common issue is performance problems when the backlog wait time is set too high. If the backlog wait time is too high, the audit system may not be able to keep up with the incoming events, leading to significant performance issues.
Integration
audit_set_backlog_wait_time
can be used in conjunction with other audit commands, such as auditctl
and ausearch
, to manage and monitor the audit system.
Related Commands
- auditctl: Configures the audit system.
- ausearch: Searches the audit log.