audit_set_backlog_wait_time - Linux

Overview

audit_set_backlog_wait_time controls how long the audit system waits for the queue of pending events to drain when the queue is full. If the limit is reached and this timeout expires, the audit system drops pending events and logs a warning to the audit log.

Syntax

audit_set_backlog_wait_time [time_microseconds]

Options/Flags

• time_microseconds: (Default: 90000000) The wait time, in microseconds, that the audit system should wait for the queue of pending events to drain before dropping events.

Examples

Setting the backlog wait time

audit_set_backlog_wait_time 120000000

Getting the current backlog wait time

To get the current backlog wait time, omit the [time_microseconds] argument:

audit_set_backlog_wait_time
90000000

Common Issues

One common issue is performance problems when the backlog wait time is set too high. If the backlog wait time is too high, the audit system may not be able to keep up with the incoming events, leading to significant performance issues.

Integration

audit_set_backlog_wait_time can be used in conjunction with other audit commands, such as auditctl and ausearch, to manage and monitor the audit system.

Related Commands

• auditctl: Configures the audit system.
• ausearch: Searches the audit log.