Thanks for pointing me in the right direction, as soon as I am moderator allowed for the audit mailing list I will present the question to them.
Did you want to see the response from them? Thanks, Brad On 10/02/2017 11:40 AM, Lennart Poettering wrote: > On Mo, 02.10.17 11:25, Brad Zynda ([email protected]) wrote: > >> Sep 28 13:50:03 server systemd-journal[565]: Suppressed 73244 messages >> from /system.slice/auditd.service > > The question is: why does auditd even log to the journal? > >> Now we are required to have full audit rules and does this look like at >> rate limiting issue or an issue of journal not able to handle the >> traffic to logging? > > journald detected that it got flooded with too many messages in too > short a time from auditd. if this happens then something is almost > certainly off with auditd, as auditd is not supposed to flood journald > with messages, after all it maintains its own auditing log database. > > Please ping the auditd folks for help > > Lennart > _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
