Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

go-audit process dies frequently on a busy system #25

Closed
3 tasks
nbommu1 opened this issue Feb 16, 2017 · 6 comments
Closed
3 tasks

go-audit process dies frequently on a busy system #25

nbommu1 opened this issue Feb 16, 2017 · 6 comments

Comments

@nbommu1
Copy link

nbommu1 commented Feb 16, 2017

  • I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • I've read and agree to the Code of Conduct.
  • I've searched for any related issues and avoided creating a duplicate issue.

Description

Hi,
go-audit process dies frequently on a server which is too busy. it work as expected on rest of the servers. so far I have increased socket buffer receive 16384 x 3 with no luck. can you help us out on this?

Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message, retrying in 1 second. Error: write unixgram @->/dev/log: write: message too long
Failed to write message. Error: write unixgram @->/dev/log: write: message too long

rsyslog is allowing message size $MaxMessageSize 20k

Reproducible in:

go-audit version: current version
OS version(s):Amazon Linux AMI release 2016.09
@nbommu1 nbommu1 changed the title go-audit process dies frequently go-audit process dies frequently on a busy system Feb 16, 2017
@nbrownus
Copy link
Collaborator

/dev/log is a datagram socket and I don't recommend using it for this. There is a way to setup rsyslog to use a stream socket which is much better suited to go-audit message sizes.

@nbommu1
Copy link
Author

nbommu1 commented Feb 16, 2017
edited
Loading

thanks a lot,

trying with these options.

network: udp
address: localhost:514

@nbommu1
Copy link
Author

nbommu1 commented Feb 16, 2017

unfortunatly died again with the same error message, cleared up error log and started, will get more info on next failure.

@nbrownus
Copy link
Collaborator

That would be because you are still using a datagram transport mode. If you use tcp or a unix domain socket in stream mode you will remove the transit size limit.

@nbommu1
Copy link
Author

nbommu1 commented Feb 17, 2017

Thanks, I have turned on TCP reception on that server and update go-audit.yaml, things are looks good so far.
network: tcp
address: localhost:514

@nbommu1
Copy link
Author

nbommu1 commented Feb 21, 2017

we have minimised logging on that server, so far things looks good.

@nbommu1 nbommu1 closed this as completed Feb 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nbrownus @nbommu1