Backup crashed server / audit: backlog limit exceeded

alext

Registered
Oct 3, 2012
2
0
1
cPanel Access Level
Root Administrator
This is a new Xen VPS CentOS 6 based server. It is running well except for periodic crashes. The crashes happen at 1am each time (but not every day). The only cron job running at that time is the WHM backup.

0 1 * * * /usr/local/cpanel/scripts/cpbackup

The server is under no heavy load and my external server monitor looks like normal activity (network, load, etc) and then dead at 1am.

According to my data center, there was a console message "audit: backlog limit exceeded"

So my assumption is that the cpanel backup system is triggering this issue. I researched "audit: backlog limit exceeded" and as a result folllowed the recommendation here:
audit: backlog limit exceeded problem - FedoraForum.org

Code:
[email protected] [~]# aureport --start today --event --summary -i

Event Summary Report
======================
total  type
======================
13853  NETFILTER_CFG
366  CRED_ACQ
366  USER_ACCT
365  USER_START
364  LOGIN
359  USER_END
358  CRED_DISP
13  CRYPTO_KEY_USER
4  CRYPTO_SESSION
4  USER_AUTH
2  CRED_REFR
2  USER_LOGIN
1  CONFIG_CHANGE
Code:
[email protected] [~]# aureport --start today

Summary Report
======================
Range of time in logs: 10/03/2012 00:00:01.591 - 10/03/2012 11:45:05.550
Selected time for report: 10/03/2012 00:00:00 - 10/03/2012 11:45:05.550
Number of changes in configuration: 1
Number of changes to accounts, groups, or roles: 0
Number of logins: 2
Number of failed logins: 0
Number of authentications: 4
Number of failed authentications: 0
Number of users: 3
Number of terminals: 6
Number of host names: 3
Number of executables: 6
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 17
Number of keys: 0
Number of process IDs: 13686
Number of events: 16078
and I made this change:
"To lengthen the backlog, edit /etc/audit/audit.rules and change the "-b 320"
to "-b 8192". "

I do NOT want to let the server crash again to find out I didn't solve the problem but realy don't know how to diagnose this issue.

Any ideas? Thanks.
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
Is there a reason you have audit running on the server even? If you aren't specifically auditing a file, you could shut off the service for the time being.

Code:
/etc/init.d/auditd stop
chkconfig auditd off
 

alext

Registered
Oct 3, 2012
2
0
1
cPanel Access Level
Root Administrator
Thanks for the advice. I did disable audit as suggested. Not only has the server stoped crashing but it has appearantly cured a few other issues. So this was obviously not a cpanel backup specific issue. Thanks.