Introduction

The Linux audit daemon (auditd) records security-relevant events to /var/log/audit/audit.log. When the partition containing the audit log fills up, auditd stops recording events. Depending on the disk_full_action configuration, it may halt the system, suspend logging, or execute a custom action. This creates a security compliance gap where critical events go unrecorded.

Symptoms

  • systemctl status auditd shows inactive (dead) or failed
  • ausearch -m USER_LOGIN returns no recent results
  • /var/log/audit/audit.log is at or near filesystem capacity
  • dmesg shows audit: backlog limit exceeded
  • Applications may hang if auditd is in HALT mode and kernel is blocking syscalls

Common Causes

  • Audit log retention policy not configured, logs grow unbounded
  • High volume of audit rules generating excessive events
  • Log rotation not configured or logrotate not running
  • Separate /var/log/audit partition too small for the workload
  • max_log_file and max_log_file_action not set correctly

Step-by-Step Fix

  1. 1.Check auditd status and disk usage:
  2. 2.```bash
  3. 3.sudo systemctl status auditd
  4. 4.df -h /var/log/audit
  5. 5.ls -lh /var/log/audit/audit.log
  6. 6.sudo auditctl -s
  7. 7.`
  8. 8.Free space by compressing or archiving old logs:
  9. 9.```bash
  10. 10.cd /var/log/audit
  11. 11.sudo gzip audit.log
  12. 12.sudo mv audit.log.gz audit.log.$(date +%Y%m%d).gz
  13. 13.# Restart auditd to create a fresh log file
  14. 14.sudo systemctl restart auditd
  15. 15.`
  16. 16.Configure log rotation in auditd.conf:
  17. 17.```bash
  18. 18.sudo nano /etc/audit/auditd.conf
  19. 19.`
  20. 20.Set:
  21. 21.```ini
  22. 22.max_log_file = 100
  23. 23.max_log_file_action = ROTATE
  24. 24.num_logs = 10
  25. 25.space_left = 2000
  26. 26.space_left_action = SYSLOG
  27. 27.admin_space_left = 1000
  28. 28.admin_space_left_action = SUSPEND
  29. 29.disk_full_action = SUSPEND
  30. 30.disk_error_action = SUSPEND
  31. 31.`
  32. 32.Reload auditd configuration:
  33. 33.```bash
  34. 34.sudo service auditd rotate
  35. 35.sudo systemctl restart auditd
  36. 36.sudo auditctl -s
  37. 37.`
  38. 38.Reduce audit rule volume if generating too many events:
  39. 39.```bash
  40. 40.sudo auditctl -l
  41. 41.# Remove overly broad rules like -w /etc -p wa
  42. 42.sudo auditctl -D # Clear all rules
  43. 43.# Add targeted rules instead
  44. 44.sudo auditctl -w /etc/shadow -p wa -k identity
  45. 45.sudo auditctl -w /etc/sudoers -p wa -k sudoers
  46. 46.`
  47. 47.Move audit log to a larger partition or remote server:
  48. 48.```bash
  49. 49.# Configure remote logging via audispd-plugins
  50. 50.sudo apt install audispd-plugins
  51. 51.sudo nano /etc/audisp/plugins.d/syslog.conf
  52. 52.`

Prevention

  • Set max_log_file and num_logs based on available disk space and compliance requirements
  • Use a dedicated partition for /var/log/audit with adequate sizing (at least 10-20GB)
  • Monitor audit log disk usage with automated alerts at 70% capacity
  • Configure space_left_action = EMAIL for proactive notification
  • Ship audit logs to a centralized SIEM to avoid local storage constraints