πŸ”΄ Critical   ⏱ 5–30 min  Last verified: 20 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Kernel reports lost audit events when backlog is exhausted, reducing forensic integrity.

Environment & Reproduction

Appears under heavy syscall activity and strict auditing profiles.

systemctl status auditd
auditctl -s
journalctl -k | grep -i audit

Root Cause Analysis

Backlog limits and flush strategy are too low for event throughput and storage latency.

Quick Triage

Check immediate drop counters and disk condition.

auditctl -s
df -h /var/log/audit
ausearch -m DAEMON_END,DAEMON_START -ts recent

Step-by-Step Diagnosis

Inspect audit daemon settings and kernel boot args.

grep -E 'backlog|flush|freq' /etc/audit/auditd.conf
cat /proc/cmdline | tr ' ' 'n' | grep audit
augenrules --check
Illustrative mockup for rhel-10 β€” terminal_or_shell
Checking auditd backlog and dropped events β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Raise kernel and auditd backlog settings and restart service.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo grubby --update-kernel=ALL --args='audit_backlog_limit=8192'
sudo sed -i 's/^flush.*/flush = INCREMENTAL_ASYNC/' /etc/audit/auditd.conf
sudo systemctl restart auditd
Illustrative mockup for rhel-10 β€” log_or_config
Increasing audit backlog and restart strategy β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Trim noisy rules and separate high-volume watch paths.

sudo ausearch -ts recent | wc -l
sudo augenrules --load

Verification & Acceptance Criteria

No new dropped-event messages and stable audit queue behavior.

auditctl -s
journalctl -k -n 100 --no-pager | grep -i audit
ausearch -m AVC -ts recent | head

Rollback Plan

Remove added kernel arg and restore prior auditd.conf if side effects appear.

sudo grubby --update-kernel=ALL --remove-args='audit_backlog_limit=8192'
sudo cp /etc/audit/auditd.conf.bak /etc/audit/auditd.conf
sudo systemctl restart auditd

Prevention & Hardening

Continuously monitor dropped audit events and tune per workload profile.

auditctl -s
systemctl enable --now auditd

Related to rsyslog congestion, slow storage, and excessive watch rules on busy directories.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

RHEL security and auditing documentation for backlog management and rule optimization.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.