π ~1 min read
Table of contents
Symptom & Impact
Security audits show logging gaps and auditd reports suspended or no-space conditions.
Environment & Reproduction
Audit partition reached configured space_left or admin_space_left thresholds.
Root Cause Analysis
Run df -h /var/log/audit, sudo systemctl status auditd, and inspect /etc/audit/auditd.conf.
Quick Triage
Free immediate space by archiving old audit logs according to retention policy.
Step-by-Step Diagnosis
Adjust rotation and threshold values in auditd.conf, then restart auditd safely.
Solution – Primary Fix
Confirm new events are written with sudo ausearch -ts recent and active auditd state.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Verify continuous event capture and no further suspend actions in journalctl.
Verification & Acceptance Criteria
Revert threshold changes if compliance policy requires stricter limits and expand storage.
Rollback Plan
Allocate dedicated audit volume and enforce predictable retention and offloading.
Prevention & Hardening
Alert on audit log utilization and auditd status before thresholds trigger service impact.
Related Errors & Cross-Refs
Schedule secure archival and upload jobs for audit logs with integrity checks.
Related tutorial: View the step-by-step tutorial for rhel-9.
View all rhel-9 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Consult auditd.conf, ausearch, and RHEL 9 security compliance documentation.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
