Linux audit “Backlog limit exceeded”

If you’re running a busy Linux system, you may see the following error in your Kernel logs:
“audit: backlog limit exceeded”.

For example:
Linux audit "Backlog limit exceeded" 1

To alleviate the message output in your logs, you can increase the audit buffer.

Edit /etc/audit/audit.rules and increase the value for “-b”. For Red Hat Linux 6 systems, the default value is 320.
Linux audit "Backlog limit exceeded" 2

Determining the appropriate value may require some time and experimentation. As a general rule, we suggest doubling the value and then observing it’s affects. It is recommended not to set the value too high, as it may cause increased system resource usage.

Once your value is set, save the file and restart the auditd service.
Linux audit "Backlog limit exceeded" 3

Please note that the “audit: backlog limit exceeded” message is a generic message and could be a symptom of a bigger issue (most common, log writing issues due to ext4 file system issues). Further troubleshooting may be necessary.