The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Backup crashed server / audit: backlog limit exceeded

Discussion in 'General Discussion' started by alext, Oct 3, 2012.

  1. alext

    alext Registered

    Joined:
    Oct 3, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    This is a new Xen VPS CentOS 6 based server. It is running well except for periodic crashes. The crashes happen at 1am each time (but not every day). The only cron job running at that time is the WHM backup.

    0 1 * * * /usr/local/cpanel/scripts/cpbackup

    The server is under no heavy load and my external server monitor looks like normal activity (network, load, etc) and then dead at 1am.

    According to my data center, there was a console message "audit: backlog limit exceeded"

    So my assumption is that the cpanel backup system is triggering this issue. I researched "audit: backlog limit exceeded" and as a result folllowed the recommendation here:
    audit: backlog limit exceeded problem - FedoraForum.org

    Code:
    root@host [~]# aureport --start today --event --summary -i
    
    Event Summary Report
    ======================
    total  type
    ======================
    13853  NETFILTER_CFG
    366  CRED_ACQ
    366  USER_ACCT
    365  USER_START
    364  LOGIN
    359  USER_END
    358  CRED_DISP
    13  CRYPTO_KEY_USER
    4  CRYPTO_SESSION
    4  USER_AUTH
    2  CRED_REFR
    2  USER_LOGIN
    1  CONFIG_CHANGE
    
    Code:
    root@host [~]# aureport --start today
    
    Summary Report
    ======================
    Range of time in logs: 10/03/2012 00:00:01.591 - 10/03/2012 11:45:05.550
    Selected time for report: 10/03/2012 00:00:00 - 10/03/2012 11:45:05.550
    Number of changes in configuration: 1
    Number of changes to accounts, groups, or roles: 0
    Number of logins: 2
    Number of failed logins: 0
    Number of authentications: 4
    Number of failed authentications: 0
    Number of users: 3
    Number of terminals: 6
    Number of host names: 3
    Number of executables: 6
    Number of files: 0
    Number of AVC's: 0
    Number of MAC events: 0
    Number of failed syscalls: 0
    Number of anomaly events: 0
    Number of responses to anomaly events: 0
    Number of crypto events: 17
    Number of keys: 0
    Number of process IDs: 13686
    Number of events: 16078
    
    and I made this change:
    "To lengthen the backlog, edit /etc/audit/audit.rules and change the "-b 320"
    to "-b 8192". "

    I do NOT want to let the server crash again to find out I didn't solve the problem but realy don't know how to diagnose this issue.

    Any ideas? Thanks.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Is there a reason you have audit running on the server even? If you aren't specifically auditing a file, you could shut off the service for the time being.

    Code:
    /etc/init.d/auditd stop
    chkconfig auditd off
     
  3. alext

    alext Registered

    Joined:
    Oct 3, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for the advice. I did disable audit as suggested. Not only has the server stoped crashing but it has appearantly cured a few other issues. So this was obviously not a cpanel backup specific issue. Thanks.
     
Loading...

Share This Page