πŸ”΄ Critical   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Security events are lost under load, creating compliance and forensics gaps.

Environment & Reproduction

Seen on busy systems with verbose audit rules and slow disk/log forwarding.

systemctl status auditd ; sudo aureport --summary

Root Cause Analysis

Kernel audit queue fills faster than auditd can persist or forward records.

Quick Triage

Confirm backlog drops and current audit queue settings.

sudo journalctl -k -n 120 | grep -Ei 'audit.*backlog' ; sudo auditctl -s

Step-by-Step Diagnosis

Review audit rules volume and storage throughput constraints.

sudo auditctl -l | wc -l ; sudo grep -E 'backlog|rate_limit|flush' /etc/audit/auditd.conf
Illustrative mockup for rhel-10 β€” auditd-overflow-log
audit backlog limit exceeded warnings β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Increase backlog limits and tune auditd flush/write behavior.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo grubby --update-kernel=ALL --args='audit_backlog_limit=8192' ; sudo sed -i 's/^flush =.*/flush = INCREMENTAL_ASYNC/' /etc/audit/auditd.conf ; sudo systemctl restart auditd
Illustrative mockup for rhel-10 β€” auditd-overflow-fix
Increased backlog and stable audit pipeline β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Reduce low-value audit rules and offload heavy events to targeted policies.

Verification & Acceptance Criteria

No new backlog overflow messages during peak activity windows.

sudo auditctl -s ; sudo journalctl -k -n 100 | grep -Ei 'backlog|lost'

Rollback Plan

Revert kernel args and auditd config if performance tuning causes side effects.

Prevention & Hardening

Capacity-plan audit pipeline and validate ruleset impact before broad rollout.

Related to rsyslog forwarding stalls and root filesystem log saturation.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL audit subsystem tuning and compliance hardening references.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.