-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
incessant likely missed sequence messages #23
Comments
What is your current config for |
This is for Ubuntu.
root@ld5333:/etc# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
root@ld5333:/etc# go-audit -config /etc/go-audit.yaml
2017/02/08 Flushed existing audit rules
2017/02/08 Added audit rule #1
2017/02/08 Added audit rule #2
2017/02/08 Added audit rule #3
2017/02/08 Socket receive buffer size: 32768
2017/02/08 Ignoring syscall `49` containing message type `1306` matching string `saddr=(10..|0A..)`
2017/02/08 Ignoring syscall `` containing message type `1305` matching string `.*`
2017/02/08 Started processing events
2017/02/08 Likely missed sequence 588861, current 589363, worst message delay 0
2017/02/08 Likely missed sequence 588863, current 589365, worst message delay 0
2017/02/08 Likely missed sequence 588865, current 589367, worst message delay 0
2017/02/08 Likely missed sequence 588867, current 589369, worst message delay 0
^C
root@ld5333:/etc# cat /etc/go-audit.yaml
#########################################################################################
# Please note that until this bug spf13/viper#165 is fixed #
# you _must_ specify all values despite the fact that they talk about having a default. #
# Hopefully this problem with viper goes away soon #
#########################################################################################
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
receive: 16384
# Configure message sequence tracking
message_tracking:
# Track messages and identify if we missed any, default true
enabled: true
# Log out of orderness, these messages typically signify an overloading system, default false
log_out_of_order: false
# Maximum out of orderness before a missed sequence is presumed dropped, default 500
max_out_of_order: 500
# Configure where to output audit events
# Only 1 output can be active at a given time
output:
# Writes to stdout
# All program status logging will be moved to stderr
stdout:
#enabled: true
enabled: false
# Total number of attempts to write a line before considering giving up
# If a write fails go-audit will sleep for 1 second before retrying
# Default is 3
attempts: 2
# Writes logs to syslog
syslog:
#enabled: false
enabled: true
attempts: 5
# Configure the type of socket this should be, default is unixgram
# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
#network: unixgram
network: udp
# Set the remote address to connect to, this can be a path or an ip address
# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
#address: /dev/log
address: 172.24.102.204:514
# Sets the facility and severity for all events. See the table below for help
# The default is 132 which maps to local0 | warn
priority: 129 # local0 | emerg
# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
# Default value is "go-audit"
tag: "audit-thing"
# Appends logs to a file
file:
enabled: false
attempts: 2
# Path of the file to write lines to
# The actual file will be created if it is missing but make sure the parent directory exists
path: /tmp/go-audit.log
# Octal file mode for the log file, make sure to always have a leading 0
mode: 0600
# User and group that should own the log file
#user: nobody
#group: nogroup
user: root
group: root
# Configure logging, only stdout and stderr are used.
log:
# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
# To get the `filename:lineno` you would set this to 16
#
# Ldate = 1 // the date in the local time zone: 2009/01/23
# Ltime = 2 // the time in the local time zone: 01:23:23
# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.
# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
#
# See also: https://golang.org/pkg/log/#pkg-constants
flags: 0
flags: 1
rules:
# Watch all 64 bit program executions
#- -a exit,always -F arch=b64 -S execve
# Watch all 32 bit program executions
#- -a exit,always -F arch=b32 -S execve
- -a exit,always -S listen
- -a exit,always -F arch=b64 -F a0=2 -F a1=2 -F a2=17 -S socket
#- -a exit,always -F arch=b64 -S socket -F a0=3
#- -a exit,always -F arch=b64 -S socket -F a0=4
# Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
# You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
# This should be the last rule in the chain.
- -e 1
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
filters:
# Each filter consists of exactly 3 parts
- syscall: 49 # The syscall id of the message group (a single log line from go-audit), to test against the regex
message_type: 1306 # The message type identifier containing the data to test against the regex
regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
- syscall: ""
message_type: 1305
regex: .*
root@ld5333:/etc#
[id:image001.png@01D27AE2.650A0A00]
Bryan C. Jamieson
Senior Systems Engineer
THD Austin Technology Center North
13011 McCallen Pass
Austin, Tx 78753
W: 737-931-8627 C: 512-221-8906
Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com>
From: Nathan Brown <notifications@github.com>
Reply-To: slackhq/go-audit <reply@reply.github.com>
Date: Tuesday, February 7, 2017 at 10:06 PM
To: slackhq/go-audit <go-audit@noreply.github.com>
Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com>
Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23)
What is your current config for message_tracking.max_out_of_order<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_blob_master_go-2Daudit.yaml.example-23L24&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VKz8BLpQflD7ECINmvU64E0nsIMNBJqZMB0kobFkDDU&s=U98IMaANFSTpK5PpxIJA7E6HkoZMhxL9j0aj2AVDdAE&e=>?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D278223789&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VKz8BLpQflD7ECINmvU64E0nsIMNBJqZMB0kobFkDDU&s=AnNTl4YMnucUk--tYJYbElFiWpUKPPyqyo8V2-ec6TU&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHkCiGshn9YhKjqjTcosNmvFuSRCLks5raT9WgaJpZM4L2xQt&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VKz8BLpQflD7ECINmvU64E0nsIMNBJqZMB0kobFkDDU&s=FucZ-f9-hWu_dQ-7TDA0Z-TzwLgHdURuNmWUy8jN5-Q&e=>.
…________________________________
The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
|
Either you have multiple processes fighting for the audit netlink socket or your computer isn't fast enough to process all the audit messages. Can you confirm that only one instance |
Nathan,
I forgot you had redirected my to govendor ☺ This is happening during the build of go-audit on rhel6.8, it’s not about running go-audit. Let me go open a ticket with govendor. The compile works on rhel 7.3 in a docker container running on the same virtual machine. Govendor seems to deal with all the stanzas ok in the vendor.json file except these two:
{
"checksumSHA1": "93uHIq25lffEKY47PV8dBPD+XuQ=",
"path": "gopkg.in/fsnotify.v1",
"revision": "a8a77c9133d2d6fd8334f3260d06f60e8d80a5fb",
"revisionTime": "2016-06-29T01:11:04Z"
},
{
"checksumSHA1": "SPMXWeoFQa5z0pLPmqpcFzyHqQQ=",
"path": "gopkg.in/yaml.v2",
"revision": "31c299268d302dd0aa9a0dcf765a3d58971ac83f",
"revisionTime": "2016-09- 12T16:56:03Z"
}
[id:image001.png@01D27AE2.650A0A00]
Bryan C. Jamieson
Senior Systems Engineer
THD Austin Technology Center North
13011 McCallen Pass
Austin, Tx 78753
W: 737-931-8627 C: 512-221-8906
Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com>
From: Nathan Brown <notifications@github.com>
Reply-To: slackhq/go-audit <reply@reply.github.com>
Date: Friday, February 10, 2017 at 12:59 PM
To: slackhq/go-audit <go-audit@noreply.github.com>
Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com>
Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23)
Either you have multiple processes fighting for the audit netlink socket or your computer isn't fast enough to process all the audit messages. Can you confirm that only one instance go-audit is running and that auditd is not? While go-audit is running what does cpu utilization look like?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D279034347&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=CpWgKD3rX-1C5vBkq6_Fa0-gA5Z0__9qDTzpIhu1UN0&s=q3N7VmDaA4V10PhxrDfdzghbeHztaw6uxSHA51umcnQ&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHvRlUohdbwMTf1H5ThJ9gGqAhjObks5rbLOfgaJpZM4L2xQt&d=DwMFaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=CpWgKD3rX-1C5vBkq6_Fa0-gA5Z0__9qDTzpIhu1UN0&s=EwJIBIsOlkZB2I6J5gfUHpeaGYEINuONhajWrKrbLaE&e=>.
…________________________________
The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
|
Can you confirm how many go-audit processes are running or that auditd is running when this happens? |
I replicated the problem this morning and here is what is running at the time the messages appear.
root@ld5333:~# ps -eaf | grep go-audit
root 29572 29383 0 10:10 pts/0 00:00:00 go-audit -config /etc/go-audit.yaml
root 29677 29443 0 11:05 pts/1 00:00:00 grep --color=auto go-audit
root@ld5333:~#
[id:image001.png@01D27AE2.650A0A00]
Bryan C. Jamieson
Senior Systems Engineer
THD Austin Technology Center North
13011 McCallen Pass
Austin, Tx 78753
W: 737-931-8627 C: 512-221-8906
Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com>
From: Nathan Brown <notifications@github.com>
Reply-To: slackhq/go-audit <reply@reply.github.com>
Date: Friday, February 17, 2017 at 4:31 PM
To: slackhq/go-audit <go-audit@noreply.github.com>
Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com>
Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23)
Can you confirm how many go-audit processes are running or that auditd is running when this happens?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D280784659&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VcYqTdbtM1FCObHcoBNoWc9UEmXFIFU8oX3WejFNUJk&s=IhLA9bDrZKgH4h_d6h-m66JDrOlGA8SxJ1d3CQqdXZ0&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHneUnHgWO-5FcRllWenh14ko6fy5Fvks5rdh-2D1gaJpZM4L2xQt&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=VcYqTdbtM1FCObHcoBNoWc9UEmXFIFU8oX3WejFNUJk&s=X4bZYrXp3UULDBqQHA6xwzSLik0r4zjUPjVGF1dHmmc&e=>.
…________________________________
The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
|
Was |
root@ld5333:~# systemctl stop auditd
root@ld5333:~#
root@ld5333:~# systemctl status auditd
* auditd.service - Security Auditing Service
Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Thu 2017-01-05 17:32:11 EST; 1 months 17 days ago
Main PID: 11349 (code=exited, status=0/SUCCESS)
Feb 22 13:30:46 ld5333 systemd[1]: Stopped Security Auditing Service.
root@ld5333:~# systemctl status go-audit
* go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2017-02-20 10:11:48 EST; 2 days ago
Main PID: 16599 (code=killed, signal=TERM)
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable
root@ld5333:~# systemctl start go-audit
root@ld5333:~# systemctl status go-audit
* go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2017-02-22 13:34:12 EST; 5s ago
Main PID: 2296 (go-audit)
CGroup: /system.slice/go-audit.service
`-2296 /usr/local/bin/go-audit -config /etc/go-audit.yaml
Feb 22 13:34:12 ld5333 systemd[1]: Started go-audit.
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Flushed existing audit rules
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Added audit rule #1
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Added audit rule #2
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Added audit rule #3
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Socket receive buffer size: 32768
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Ignoring syscall `49` containing message type
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Ignoring syscall `` containing message type `1
Feb 22 13:34:12 ld5333 go-audit[2296]: 2017/02/22 Started processing events
lines 1-16/16 (END)
root@ld5333:~# ps -eaf | grep go-audit
root 2343 2263 0 13:42 pts/0 00:00:00 go-audit -config /etc/go-audit.yaml
root 2443 2405 0 13:47 pts/1 00:00:00 grep --color=auto go-audit
root@ld5333:~# grep 172 /etc/*yaml
address: 172.24.103.215:514
root@ld5333:~# systemctl restart sshd
[root@ld5405 ~]# host ld5405
ld5405.homedepot.com has address 172.24.103.215
[root@ld5405 ~]# nc -u -l 514
<129>2017-02-22T13:26:12-05:00 ln4668 audit-thing[6998]: {"sequence":2285,"timestamp":"1487787972.062","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=3 a1=80 a2=10 a3=7ffcdb21f4ac items=0 ppid=1 pid=7083 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=(null)"}],"uid_map":{"0":"root"}}
<129>2017-02-22T13:26:12-05:00 ln4668 audit-thing[6998]: {"sequence":2286,"timestamp":"1487787972.062","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=4 a1=80 a2=1c a3=7ffcdb21f4ac items=0 ppid=1 pid=7083 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=9 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=(null)"}],"uid_map":{"0":"root"}}
^C
[root@ld5405 ~]# nc -u -l 514
<129>2017-02-22T13:35:50-05:00 ld5333 audit-thing[2296]: {"sequence":805853,"timestamp":"1487788550.460","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=3 a1=80 a2=0 a3=7ffe28997050 items=0 ppid=1 pid=2321 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"sshd\" exe=\"/usr/sbin/sshd\" key=(null)"},{"type":1327,"data":"proctitle=2F7573722F7362696E2F73736864002D44"}],"uid_map":{"0":"root","4294967295":"UNKNOWN_USER"}}
<129>2017-02-22T13:35:50-05:00 ld5333 audit-thing[2296]: {"sequence":805854,"timestamp":"1487788550.468","messages":[{"type":1300,"data":"arch=c000003e syscall=50 success=yes exit=0 a0=4 a1=80 a2=0 a3=7ffe28996fe4 items=0 ppid=1 pid=2321 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"sshd\" exe=\"/usr/sbin/sshd\
after like 4 hours it hasn’t done it this time ☺ not sure what the deal is .
[id:image001.png@01D27AE2.650A0A00]
Bryan C. Jamieson
Senior Systems Engineer
THD Austin Technology Center North
13011 McCallen Pass
Austin, Tx 78753
W: 737-931-8627 C: 512-221-8906
Email: Bryan_Jamieson@homedepot.com<mailto:Bryan_Jamieson@homedepot.com>
From: Nathan Brown <notifications@github.com>
Reply-To: slackhq/go-audit <reply@reply.github.com>
Date: Wednesday, February 22, 2017 at 12:08 PM
To: slackhq/go-audit <go-audit@noreply.github.com>
Cc: Bryan Jamieson <BRYAN_JAMIESON@homedepot.com>, Author <author@noreply.github.com>
Subject: Re: [slackhq/go-audit] incessant likely missed sequence messages (#23)
Was auditd running?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_slackhq_go-2Daudit_issues_23-23issuecomment-2D281752065&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=7PW07mTH_YCH6Vc9Mz1GDeLdIwgik-EVse_fiPbDbyg&s=Ek49TBAD7m9UURwPyD0FmmcfxNUAIZHrj_jbuu36JoU&e=>, or mute the thread<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AXRJHtvHz7e36UtnBohmKuoiA1g75Phfks5rfHmHgaJpZM4L2xQt&d=DwMCaQ&c=MtgQEAMQGqekjTjiAhkudQ&r=sKlxnwXL5hMER5M7S_weJGLwQtOMm_wlozqCY3avvY8&m=7PW07mTH_YCH6Vc9Mz1GDeLdIwgik-EVse_fiPbDbyg&s=YcMi-QsGEklD8dDe3pzEGU4mxe65Oa42MAVZUxI7JOs&e=>.
…________________________________
The information in this Internet Email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this Email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this Email are subject to the terms and conditions expressed in any applicable governing The Home Depot terms of business or client engagement letter. The Home Depot disclaims all responsibility and liability for the accuracy and content of this attachment and for any damages or losses arising from any inaccuracies, errors, viruses, e.g., worms, trojan horses, etc., or other items of a destructive nature, which may be contained in this attachment and shall not be liable for direct, indirect, consequential or special damages in connection with this e-mail message or its attachment.
|
Description
incessant "Likely Missed sequence" messages
Reproducible in:
go-audit
version:OS version(s):
root@ld5333:/tmp# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
Steps to reproduce:
start go-audit and let run
Expected result:
Actual result:
root@ld5333:/tmp# ./go-audit -config go-audit.yaml
2017/02/03 Flushed existing audit rules
2017/02/03 Added audit rule #1
2017/02/03 Added audit rule #2
2017/02/03 Socket receive buffer size: 32768
2017/02/03 Ignoring syscall
49
containing message type1306
matching stringsaddr=(10..|0A..)
2017/02/03 Ignoring syscall `` containing message type
1305
matching string `.*`2017/02/03 Started processing events
2017/02/03 Likely missed sequence 504532, current 505034, worst message delay 0
2017/02/03 Likely missed sequence 504534, current 505036, worst message delay 0
2017/02/03 Likely missed sequence 504536, current 505038, worst message delay 0
2017/02/03 Likely missed sequence 504538, current 505040, worst message delay 0
2017/02/03 Likely missed sequence 504540, current 505042, worst message delay 0
2017/02/03 Likely missed sequence 504542, current 505044, worst message delay 0
2017/02/03 Likely missed sequence 504544, current 505046, worst message delay 0
2017/02/03 Likely missed sequence 504546, current 505048, worst message delay 0
2017/02/03 Likely missed sequence 504548, current 505050, worst message delay 0
2017/02/03 Likely missed sequence 504550, current 505052, worst message delay 0
2017/02/03 Likely missed sequence 504552, current 505054, worst message delay 0
2017/02/03 Likely missed sequence 504554, current 505056, worst message delay 0
2017/02/03 Likely missed sequence 504556, current 505058, worst message delay 0
2017/02/03 Likely missed sequence 504558, current 505060, worst message delay 0
2017/02/03 Likely missed sequence 504561, current 505062, worst message delay 0
2017/02/03 Likely missed sequence 504563, current 505064, worst message delay 0
2017/02/03 Likely missed sequence 504566, current 505068, worst message delay 0
2017/02/03 Likely missed sequence 504569, current 505070, worst message delay 0
2017/02/03 Likely missed sequence 504571, current 505072, worst message delay 0
2017/02/03 Likely missed sequence 504573, current 505074, worst message delay 0
2017/02/03 Likely missed sequence 504575, current 505076, worst message delay 0
^C
Attachments:
The text was updated successfully, but these errors were encountered: