Kernel 6.18 & audit framework

Hi! My audit framework works properly on kernel 6.12.x. After installing the new 6.18.x strange messages like:

audit: error in audit_log_subj_ctx
audit: kauditd hold queue overflow
audit: audit_lost=1458 audit_rate_limit=0 audit_backlog_limit=64
audit_panic: 384 callbacks suppressed

became to appear and auditd service can not be started or restarted.

My audit rules are:

-D
-b 16384
-f 0
–backlog_wait_time 60000
-a exclude,always -F msgtype=SERVICE_START
-a exclude,always -F msgtype=SERVICE_STOP
-a exclude,always -F msgtype=BPF
-a exclude,always -F exe=/usr/bin/sudo

I can not figure out where is the problem, kernel or audit. I was not able to find similar issues in the net.

AFAIK the kernels do not use audit?
I had the same errors; solved by adding boot-parameter audit=0 to /etc/default/grub
And disabled everything in systemd called “audit*”.

Perhaps you can gather info from Audit framework - ArchWiki

From there I started with audit.

OK! Mine is set to 1 and I want to use it.

Do not use audit myself, but I see many other people have problems related to backlog limit size.

You run a backlog limit of only 64 (the default).

Try increasing it 4.. 16 times the size?

If you’re doing this via kernel parameters..

audit=1, audit_backlog_limit=1024

Or higher?

Why it happens now and not before? No idea. Could be watching for way more stuff, and it’s way more secure!

Unfortunately:

\[fury@MANJARO \~\]$ uname -r
6.18.12-1-MANJARO

\[fury@MANJARO \~\]$ journalctl -b | grep audit

мар 03 11:11:44 MANJARO kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.18-x86_64 root=UUID=22fc4ea8-677c-4d74-a777-cca19e806dab rw udev.log_priority=3 intel_iommu=on iommu=pt ipv6.disable=1 apparmor=1 security=apparmor audit=1 audit_backlog_limit=1024 acpi_enforce_resources=lax
мар 03 11:11:44 MANJARO kernel: Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.18-x86_64 root=UUID=22fc4ea8-677c-4d74-a777-cca19e806dab rw udev.log_priority=3 intel_iommu=on iommu=pt ipv6.disable=1 apparmor=1 security=apparmor audit=1 audit_backlog_limit=1024 acpi_enforce_resources=lax
мар 03 11:11:44 MANJARO kernel: audit: enabled (after initialization)
мар 03 11:11:44 MANJARO kernel: audit: audit_backlog_limit: 1024
мар 03 11:11:44 MANJARO kernel: audit: initializing netlink subsys (enabled)
мар 03 11:11:44 MANJARO kernel: audit: type=2000 audit(1772536298.055:1): state=initialized audit_enabled=1 res=1
мар 03 11:11:44 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:44 MANJARO kernel: audit: type=1409 audit(1772536299.346:2): netlabel: auid=0 ses=0 nlbl_domain=(default) nlbl_protocol=unlbl res=1
мар 03 11:11:44 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:44 MANJARO kernel: audit: type=1406 audit(1772536299.346:3): netlabel: auid=0 ses=0 unlbl_accept=1 old=0
мар 03 11:11:44 MANJARO kernel: audit: type=1400 audit(1772536299.372:4): apparmor=“STATUS” info=“AppArmor Filesystem Enabled” pid=1 comm=“swapper/0”
мар 03 11:11:44 MANJARO kernel: audit: type=1400 audit(1772536302.512:5): apparmor=“STATUS” info=“AppArmor sha256 policy hashing enabled” pid=1 comm=“swapper/0”
мар 03 11:11:44 MANJARO kernel: audit: type=1334 audit(1772529104.513:6): prog-id=1 op=LOAD
мар 03 11:11:44 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:44 MANJARO kernel: audit: type=1300 audit(1772529104.513:6): arch=c000003e syscall=321 success=yes exit=8 a0=5 a1=7fffa0d64980 a2=a8 a3=7fffa0d64980 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=“systemd” exe=“/usr/lib/systemd/systemd” key=(null)
мар 03 11:11:44 MANJARO kernel: audit: type=1327 audit(1772529104.513:6): proctitle=“/sbin/init”
мар 03 11:11:44 MANJARO kernel: audit: type=1334 audit(1772529104.513:7): prog-id=1 op=UNLOAD
мар 03 11:11:44 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:44 MANJARO kernel: audit: type=1300 audit(1772529104.513:7): arch=c000003e syscall=3 success=yes exit=0 a0=8 a1=0 a2=0 a3=0 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=“systemd” exe=“/usr/lib/systemd/systemd” key=(null)
мар 03 11:11:44 MANJARO kernel: audit: type=1327 audit(1772529104.513:7): proctitle=“/sbin/init”
мар 03 11:11:44 MANJARO kernel: audit: type=1334 audit(1772529104.517:8): prog-id=2 op=LOAD
мар 03 11:11:44 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:44 MANJARO systemd-journald[357]: Collecting audit messages is disabled.
мар 03 11:11:46 MANJARO auditd[759]: No plugins found, not dispatching events
мар 03 11:11:46 MANJARO auditd[759]: Unable to set initial audit startup state to ‘enable’, exiting
мар 03 11:11:46 MANJARO auditd[759]: The audit daemon is exiting.
мар 03 11:11:46 MANJARO auditd[757]: Cannot daemonize (Success)
мар 03 11:11:46 MANJARO auditd[757]: The audit daemon is exiting.
мар 03 11:11:46 MANJARO systemd[1]: auditd.service: Control process exited, code=exited, status=1/FAILURE
мар 03 11:11:46 MANJARO systemd[1]: auditd.service: Failed with result ‘exit-code’.
мар 03 11:11:46 MANJARO auditctl[784]: There was an error in line 4 of /etc/audit/audit.rules
мар 03 11:11:46 MANJARO systemd[1]: audit-rules.service: Main process exited, code=exited, status=1/FAILURE
мар 03 11:11:46 MANJARO systemd[1]: audit-rules.service: Failed with result ‘exit-code’.
мар 03 11:11:46 MANJARO systemd[1]: auditd.service: Scheduled restart job, restart counter is at 1.
мар 03 11:11:46 MANJARO auditd[791]: No plugins found, not dispatching events
мар 03 11:11:46 MANJARO auditd[791]: Unable to set initial audit startup state to ‘enable’, exiting
мар 03 11:11:46 MANJARO auditd[791]: The audit daemon is exiting.
мар 03 11:11:46 MANJARO auditd[790]: Cannot daemonize (Success)
мар 03 11:11:46 MANJARO auditd[790]: The audit daemon is exiting.
мар 03 11:11:46 MANJARO systemd[1]: auditd.service: Control process exited, code=exited, status=1/FAILURE
мар 03 11:11:46 MANJARO systemd[1]: auditd.service: Failed with result ‘exit-code’.
мар 03 11:11:46 MANJARO auditctl[813]: There was an error in line 4 of /etc/audit/audit.rules
мар 03 11:11:46 MANJARO systemd[1]: audit-rules.service: Main process exited, code=exited, status=1/FAILURE
мар 03 11:11:46 MANJARO systemd[1]: audit-rules.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Scheduled restart job, restart counter is at 2.
мар 03 11:11:47 MANJARO auditd[819]: No plugins found, not dispatching events
мар 03 11:11:47 MANJARO auditd[819]: Unable to set initial audit startup state to ‘enable’, exiting
мар 03 11:11:47 MANJARO auditd[819]: The audit daemon is exiting.
мар 03 11:11:47 MANJARO auditd[818]: Cannot daemonize (Success)
мар 03 11:11:47 MANJARO auditd[818]: The audit daemon is exiting.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Control process exited, code=exited, status=1/FAILURE
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO auditctl[839]: There was an error in line 4 of /etc/audit/audit.rules
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Main process exited, code=exited, status=1/FAILURE
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Scheduled restart job, restart counter is at 3.
мар 03 11:11:47 MANJARO auditd[849]: No plugins found, not dispatching events
мар 03 11:11:47 MANJARO auditd[849]: Unable to set initial audit startup state to ‘enable’, exiting
мар 03 11:11:47 MANJARO auditd[849]: The audit daemon is exiting.
мар 03 11:11:47 MANJARO auditd[846]: Cannot daemonize (Success)
мар 03 11:11:47 MANJARO auditd[846]: The audit daemon is exiting.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Control process exited, code=exited, status=1/FAILURE
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO auditctl[884]: There was an error in line 4 of /etc/audit/audit.rules
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Main process exited, code=exited, status=1/FAILURE
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Scheduled restart job, restart counter is at 4.
мар 03 11:11:47 MANJARO auditd[966]: No plugins found, not dispatching events
мар 03 11:11:47 MANJARO auditd[966]: Unable to set initial audit startup state to ‘enable’, exiting
мар 03 11:11:47 MANJARO auditd[966]: The audit daemon is exiting.
мар 03 11:11:47 MANJARO auditd[955]: Cannot daemonize (Success)
мар 03 11:11:47 MANJARO auditd[955]: The audit daemon is exiting.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Control process exited, code=exited, status=1/FAILURE
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO auditctl[1027]: There was an error in line 4 of /etc/audit/audit.rules
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Main process exited, code=exited, status=1/FAILURE
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Scheduled restart job, restart counter is at 5.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Start request repeated too quickly.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Start request repeated too quickly.
мар 03 11:11:47 MANJARO systemd[1]: audit-rules.service: Failed with result ‘exit-code’.
мар 03 11:11:50 MANJARO kernel: audit_panic: 1554 callbacks suppressed
мар 03 11:11:50 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:50 MANJARO kernel: audit: type=1130 audit(1772529110.298:355): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=rtkit-daemon comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 11:11:50 MANJARO kernel: audit: audit_lost=142 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:11:50 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:11:50 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:50 MANJARO kernel: audit: type=1131 audit(1772529110.371:356): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=systemd-rfkill comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 11:11:50 MANJARO kernel: audit: audit_lost=143 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:11:50 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:11:50 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:50 MANJARO kernel: audit: type=1325 audit(1772529110.456:357): table=firewalld:28 family=1 entries=38 op=nft_register_rule pid=1016 comm=“firewalld”
мар 03 11:11:58 MANJARO kernel: audit_panic: 23 callbacks suppressed
мар 03 11:11:58 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:11:58 MANJARO kernel: audit: type=1131 audit(1772529118.062:361): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=NetworkManager-dispatcher comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 11:11:58 MANJARO kernel: audit: audit_lost=151 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:11:58 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:00 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:12:00 MANJARO kernel: audit: type=1100 audit(1772529120.949:362): pid=1346 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:authentication grantors=pam_shells,pam_faillock,pam_permit,pam_faillock acct=“fury” exe=“/usr/lib/sddm/sddm-helper” hostname=? addr=? terminal=? res=success’
мар 03 11:12:00 MANJARO kernel: audit: audit_lost=152 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:00 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:00 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:12:00 MANJARO kernel: audit: type=1101 audit(1772529120.950:363): pid=1346 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:accounting grantors=pam_access,pam_unix,pam_permit,pam_time acct=“fury” exe=“/usr/lib/sddm/sddm-helper” hostname=? addr=? terminal=? res=success’
мар 03 11:12:03 MANJARO aa-notify[1709]: ERROR: The logfile /var/log/audit/audit.log does not exist. Please check the path.
мар 03 11:12:03 MANJARO kernel: audit_panic: 108 callbacks suppressed
мар 03 11:12:03 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:12:03 MANJARO kernel: audit: type=1130 audit(1772529123.326:382): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=packagekit comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 11:12:03 MANJARO kernel: audit: audit_lost=184 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:03 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:03 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:12:03 MANJARO kernel: audit: type=1130 audit(1772529123.332:383): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=pamac-daemon comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 11:12:03 MANJARO kernel: audit: audit_lost=185 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:03 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:03 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:12:03 MANJARO kernel: audit: type=1131 audit(1772529123.532:384): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=pamac-daemon comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 11:12:11 MANJARO kernel: kauditd_printk_skb: 2 callbacks suppressed
мар 03 11:12:11 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:12:11 MANJARO kernel: audit: type=1334 audit(1772529131.142:385): prog-id=49 op=LOAD
мар 03 11:12:11 MANJARO kernel: audit: audit_lost=187 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:11 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:11 MANJARO kernel: audit: type=1300 audit(1772529131.142:385): arch=c000003e syscall=321 success=yes exit=259 a0=5 a1=7fffa0d64270 a2=a8 a3=7fffa0d64270 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=“systemd” exe=“/usr/lib/systemd/systemd” key=(null)
мар 03 11:12:11 MANJARO kernel: audit: audit_lost=188 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:11 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:11 MANJARO kernel: audit: type=1327 audit(1772529131.142:385): proctitle=“/sbin/init”
мар 03 11:12:11 MANJARO kernel: audit: audit_lost=189 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:11 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:18 MANJARO kernel: audit_panic: 50 callbacks suppressed
мар 03 11:12:18 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 11:12:18 MANJARO kernel: audit: type=1131 audit(1772529138.036:394): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=systemd-hostnamed comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 11:12:18 MANJARO kernel: audit: audit_lost=205 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:18 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 11:12:18 MANJARO kernel: audit: type=1334 audit(1772529138.074:395): prog-id=35 op=UNLOAD
мар 03 11:12:18 MANJARO kernel: audit: audit_lost=206 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 11:12:18 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:17:42 MANJARO kernel: audit: type=1334 audit(1772525862.654:396): prog-id=52 op=LOAD
мар 03 10:17:42 MANJARO kernel: audit: audit_lost=207 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:17:42 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 10:17:42 MANJARO kernel: audit_panic: 33 callbacks suppressed
мар 03 10:17:42 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 10:17:42 MANJARO kernel: audit: type=1130 audit(1772525862.695:399): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=systemd-localed comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 10:17:42 MANJARO kernel: audit: audit_lost=219 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:17:42 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:17:42 MANJARO kernel: audit: type=1334 audit(1772525862.701:400): prog-id=55 op=LOAD
мар 03 10:17:42 MANJARO kernel: audit: audit_lost=220 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:17:42 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 10:17:42 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:17:42 MANJARO kernel: audit: type=1300 audit(1772525862.701:400): arch=c000003e syscall=321 success=yes exit=207 a0=5 a1=7fffa0d64270 a2=a8 a3=7fffa0d64270 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=“systemd” exe=“/usr/lib/systemd/systemd” key=(null)
мар 03 10:17:42 MANJARO kernel: audit: audit_lost=221 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:18:00 MANJARO kernel: audit_panic: 10 callbacks suppressed
мар 03 10:18:00 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 10:18:00 MANJARO kernel: audit: type=1131 audit(1772525880.882:402): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=systemd-timedated comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 10:18:00 MANJARO kernel: audit: audit_lost=225 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:18:00 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:18:00 MANJARO kernel: audit: type=1334 audit(1772525880.893:403): prog-id=51 op=UNLOAD
мар 03 10:18:00 MANJARO kernel: audit: audit_lost=226 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:18:00 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:18:00 MANJARO kernel: audit: type=1334 audit(1772525880.893:404): prog-id=50 op=UNLOAD
мар 03 10:18:00 MANJARO kernel: audit: audit_lost=227 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:18:00 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:18:12 MANJARO kernel: audit_panic: 3 callbacks suppressed
мар 03 10:18:12 MANJARO kernel: audit: error in audit_log_subj_ctx
мар 03 10:18:12 MANJARO kernel: audit: type=1131 audit(1772525892.733:406): pid=1 uid=0 auid=4294967295 ses=4294967295 msg=‘unit=systemd-localed comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
мар 03 10:18:12 MANJARO kernel: audit: audit_lost=229 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:18:12 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:18:12 MANJARO kernel: audit: type=1334 audit(1772525892.772:407): prog-id=54 op=UNLOAD
мар 03 10:18:12 MANJARO kernel: audit: audit_lost=230 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:18:12 MANJARO kernel: audit: kauditd hold queue overflow
мар 03 10:18:12 MANJARO kernel: audit: type=1334 audit(1772525892.772:408): prog-id=53 op=UNLOAD
мар 03 10:18:12 MANJARO kernel: audit: audit_lost=231 audit_rate_limit=0 audit_backlog_limit=1024
мар 03 10:18:12 MANJARO kernel: audit: kauditd hold queue overflow

[fury@MANJARO ~]$ systemctl status auditd
× auditd.service - Security Audit Logging Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Tue 2026-03-03 11:11:47 EET; 51min left
Invocation: eff2ab7f4168438d8c4068760d9a38fc
Docs: man:auditd(8)
Process: 955 ExecStart=/usr/bin/auditd (code=exited, status=1/FAILURE)
Mem peak: 2M
CPU: 9ms

мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Scheduled restart job, restart counter is at 5.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Start request repeated too quickly.
мар 03 11:11:47 MANJARO systemd[1]: auditd.service: Failed with result ‘exit-code’.
мар 03 11:11:47 MANJARO systemd[1]: Failed to start Security Audit Logging Service.

_{MOD EDIT: Fixed formatting.}

…. and this is the old kernel behaviour:

[fury@MANJARO ~]$uname -r
6.12.73-1-MANJARO

**`[fury@MANJARO ~]$`**` journalctl -b | grep audit `
`мар 03 11:23:18 MANJARO kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.12-x86_64 root=UUID=22fc4ea8-677c-4d74-a777-cca19e806dab rw udev.log_priority=3 intel_iommu=on iommu=pt ipv6.disable=1 apparmor=1 securit`
`y=apparmor `**`audit`**`=1 acpi_enforce_resources=lax `
`мар 03 11:23:18 MANJARO kernel: Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.12-x86_64 root=UUID=22fc4ea8-677c-4d74-a777-cca19e806dab rw udev.log_priority=3 intel_iommu=on iommu=pt ipv6.disable=1 apparmor=1 `
`security=apparmor `**`audit`**`=1 acpi_enforce_resources=lax `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: enabled (after initialization) `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: initializing netlink subsys (enabled) `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=2000 `**`audit`**`(1772536991.073:1): state=initialized `**`audit`**`_enabled=1 res=1 `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1409 `**`audit`**`(1772536992.373:2): netlabel: auid=0 ses=0 subj=unconfined nlbl_domain=(default) nlbl_protocol=unlbl res=1 `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1406 `**`audit`**`(1772536992.373:3): netlabel: auid=0 ses=0 subj=unconfined unlbl_accept=1 old=0 `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1400 `**`audit`**`(1772536992.396:4): apparmor="STATUS" info="AppArmor Filesystem Enabled" pid=1 comm="swapper/0" `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1400 `**`audit`**`(1772536995.506:5): apparmor="STATUS" info="AppArmor sha256 policy hashing enabled" pid=1 comm="swapper/0" `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1334 `**`audit`**`(1772529797.772:6): prog-id=1 op=LOAD `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1300 `**`audit`**`(1772529797.772:6): arch=c000003e syscall=321 success=yes exit=8 a0=5 a1=7fff62df1490 a2=a8 a3=7fff62df1490 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0`
` euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=unconfined key=(null) `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1327 `**`audit`**`(1772529797.772:6): proctitle="/sbin/init" `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1334 `**`audit`**`(1772529797.772:7): prog-id=1 op=UNLOAD `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1300 `**`audit`**`(1772529797.772:7): arch=c000003e syscall=3 success=yes exit=0 a0=8 a1=0 a2=0 a3=0 items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 eg`
`id=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=unconfined key=(null) `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1327 `**`audit`**`(1772529797.772:7): proctitle="/sbin/init" `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1334 `**`audit`**`(1772529797.775:8): prog-id=2 op=LOAD `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1300 `**`audit`**`(1772529797.775:8): arch=c000003e syscall=321 success=yes exit=10 a0=5 a1=7fff62df1200 a2=94 a3=7f7a7a48d3cf items=0 ppid=0 pid=1 auid=4294967295 uid=0 gid=`
`0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd" exe="/usr/lib/systemd/systemd" subj=unconfined key=(null) `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1327 `**`audit`**`(1772529797.775:8): proctitle="/sbin/init" `
`мар 03 11:23:18 MANJARO kernel: `**`audit`**`: type=1334 `**`audit`**`(1772529797.775:9): prog-id=2 op=UNLOAD `
`мар 03 11:23:18 MANJARO systemd-journald[361]: Collecting `**`audit`**` messages is disabled. `
`мар 03 11:23:20 MANJARO `**`audit`**`d[758]: No plugins found, not dispatching events `
`мар 03 11:23:20 MANJARO `**`audit`**`d[758]: Init complete, `**`audit`**`d 4.1.2 listening for events (startup state enable) `
`мар 03 11:23:20 MANJARO systemd[1]: `**`audit`**`-rules.service: Deactivated successfully. `
`мар 03 11:23:35 MANJARO aa-notify[1609]: ERROR: The logfile /var/log/`**`audit`**`/`**`audit`**`.log does not exist. Please check the path. `


**`[fury@MANJARO ~]$`**` systemctl status auditd `
**`●`**` auditd.service - Security Audit Logging Service `
`     Loaded: loaded (/usr/lib/systemd/system/auditd.service; `**`enabled`**`; preset: `**`disabled`**`) `
`     Active: `**`active (running)`**` since Tue 2026-03-03 11:23:20 EET; 53min left `
` Invocation: 5b3df3e598d5452fb11e204344ddb499 `
`       Docs: man:auditd(8) `
`             https://github.com/linux-audit/audit-documentation `
`    Process: 757 ExecStart=/usr/bin/auditd (code=exited, status=0/SUCCESS) `
`   Main PID: 758 (auditd) `
`      Tasks: 2 (limit: 38068) `
`     Memory: 1M (peak: 1.9M) `
`        CPU: 6ms `
`     CGroup: /system.slice/auditd.service `
`             └─758 /usr/bin/auditd `
` `
`мар 03 11:23:20 MANJARO systemd[1]: Starting Security Audit Logging Service... `
`мар 03 11:23:20 MANJARO auditd[758]: `**`No plugins found, not dispatching events`**` `
`мар 03 11:23:20 MANJARO auditd[758]: Init complete, auditd 4.1.2 listening for events (> `
`мар 03 11:23:20 MANJARO systemd[1]: Started Security Audit Logging Service.`

I don’t think this is the cause, but you may want to address this.

But it looks like the change almost made it work..

Before:

• audit_lost=1458 audit_rate_limit=0 audit_backlog_limit=64

After:

• audit_lost=229 audit_rate_limit=0 audit_backlog_limit=1024

You just missed the limit by 200, when setting it to 1024.

You could make it 16384. It’s getting just over 1500 in one second, then croaks.

That would seem to fix it, but I would wonder why a limit of 64 per second was fine before, and now I need over 1500.

Rather then grep, this way may be a little better.. (Add --no-pager is only for copy(pasting) or redirecting output..)

journalctl -u auditd -b

Aside from seeing warnings and errors. This is to only spot patterns, or something happening over and over. Just to make sure there isn’t something like as a a faulty, or misconfigured service causing these events.

I know many audit events can be lobbed into one log entry, but did you really see 1024 events in one second? These logs seem… small.

It would be nice to see what is happening around those events. Also seeing --priority=6 outside the auditd.servicelogs, just to see what it’s trying to do around those events. But this could be a lot of text.

Or is this just normal for 6.18? Over a 1000 audit events per second does sound like a lot, but I do not know what is high or low. (And I would touch the rate limiter last.)

Just so you know..

In markdown view, if you put large amounts of text in triple back ticks. It is a little easier to read. (The code block both in rich text editor view, I believe does both, depending what you have highlighted.)

Like so:
```

TEXT

```

(Single back ticks works better for things like: echo "Shorter things.")

Hi man! Thanks for your efforts!

The log file is there under root permissions by default.

This looks helpful but right now under 6.12 I can not estimate the output.

I don’t know how to check that:

“It would be nice to see what is happening around those events. Also seeing --priority=6 outside the auditd.servicelogs, just to see what it’s trying to do around those events. But this could be a lot of text.”

$ journalctl -p 6 -u auditd.service

gives almost the posted above

Thank you! I tried few things about it.

To continue the main story… I am already not sure if this topic should be in this forum, but I tried Endeavour and Cachy. Same story. the only difference is that there, in both, 6.18 is not marked as lts!

Maybe this new kernel has another mechanism to handle this!

This was my first participation in the forum and I am very happy with that!

For now I’ll leave this topic opened to see if someone from kernel maintainers will help with some idea.

I am sorry for the flood! Thanks again!

I ran into the same issue upgrading from 6.17 to 6.18. This thread was the only info I could find when I started searching for a fix.

The reason audit is failing in 6.18 and spamming with the message kernel: audit: error in audit_log_subj_ctx lies with these two lines from your 6.18 logs:

мар 03 11:11:44 MANJARO kernel: audit: type=1409 audit(1772536299.346:2): netlabel: auid=0 ses=0 nlbl_domain=(default) nlbl_protocol=unlbl res=1

мар 03 11:11:44 MANJARO kernel: audit: type=1406 audit(1772536299.346:3): netlabel: auid=0 ses=0 unlbl_accept=1 old=0

If you compare the above lines with the corresponding entries for netlabel from your 6.12 logs, you’ll see that what is missing is subj=unconfined.

The fix for me was to add the following to my kernel parameters lsm=landlock,lockdown,yama,integrity,apparmor,bpf. [You should also remove security=apparmor as lsm= is taking its place.]

The kernels already have CONFIG_LSM=“landlock,lockdown,yama,integrity,bpf”, but for some reason starting in 6.18 it has to be made explicit in the kernel parameters. (Perhaps b/c of the use of apparmor?) If you find out why, let me know.

Hi! I just installed debian 13 and it works with the same grub parameters on their 6.18.15+deb13-amd64