Mike's Database Place

UNIX Auditing

Infra

Linux

UNIX Security

Linux Audit (auditd)

Linux Audit (auditd)

auditctl -s

auditctl -l | wc -l

auditctl -l

audisp-af_unix

It is an audit dispatcher plugin
It forwards audit events over a UNIX domain socket
It normally uses tiny amounts of memory (a few MB of RAM and near zero swap)

pidof audisp-af_unix

cat /proc/$(pidof audisp-af_unix)/status | egrep 'VmRSS|VmSwap'

When audisp-af_unix consumes large memory / swap, it almost always indicates:

Audit socket consumer stopped or is slow
Audit logs not being drained
Audit rules generating huge volumes of events
Disk IO slowdown causing audit backlog
A misconfigured SIEM / security agent

When the audit queue backs up:

audisp-af_unix buffers events in memory
Kernel eventually pushes it to swap
Swap fills

To avoid memory/swap issues caused by audit...

Cap audit backlog size
Review audit rules for excessive verbosity
Ensure audit consumers are always running
Monitor audisp memory separately in Zabbix
Consider moving heavy audit workloads off DB servers

Bibliography

https://unix.stackexchange.com/questions/153226/log-all-root-activity-with-original-username-who-sud-sudoed-to-roothttps://serverfault.com/questions/814667/any-side-effects-to-installing-linux-audithttps://github.com/tmux-plugins/tmux-logginghttps://linux.die.net/man/8/lastlog

tmux

sudo

Page updated

Google Sites

Report abuse