Auditd: Document the backpressure_strategy option (elastic#7157)

Added documentation for the `backpressure_strategy` option on the auditd module.
adriansr · Jul 23, 2018 · 0963660 · 0963660
1 parent e2ddff7
commit 0963660
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/auditbeat/docs/modules/auditd.asciidoc b/auditbeat/docs/modules/auditd.asciidoc
@@ -79,10 +79,11 @@ following example shows all configuration options with their default values.
 - module: auditd
  resolve_ids: true
  failure_mode: silent
- backlog_limit: 8196
+ backlog_limit: 8192
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
+ backpressure_strategy: auto
 ----
 
 *`socket_type`*:: This optional setting controls the type of
@@ -146,6 +147,28 @@ loaded after the rules declared in `audit_rules` are loaded. Wildcards are
 supported and will expand in lexicographical order. The format is the same as
 that of the `audit_rules` field.
 
+*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
+prevent backpressure from propagating to the kernel and impacting audited
+processes.
++
+--
+The possible values are:
+
+- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
+falls back to the `userspace` strategy.
+- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
+audit framework to 0. This causes events to be discarded in the kernel if
+the audit backlog queue fills to capacity. Requires a 3.14 kernel or
+newer.
+- `userspace`: {beatname_uc} drops events when there is backpressure
+from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
+limit of 5000. Users should test their setup and adjust the `rate_limit`
+option accordingly.
+- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
+time.
+- `none`: No backpressure mitigation measures are enabled.
+--
+
 [float]
 === Audit rules
 

diff --git a/auditbeat/module/auditd/_meta/docs.asciidoc b/auditbeat/module/auditd/_meta/docs.asciidoc
@@ -74,10 +74,11 @@ following example shows all configuration options with their default values.
 - module: auditd
  resolve_ids: true
  failure_mode: silent
- backlog_limit: 8196
+ backlog_limit: 8192
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
+ backpressure_strategy: auto
 ----
 
 *`socket_type`*:: This optional setting controls the type of
@@ -141,6 +142,28 @@ loaded after the rules declared in `audit_rules` are loaded. Wildcards are
 supported and will expand in lexicographical order. The format is the same as
 that of the `audit_rules` field.
 
+*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to
+prevent backpressure from propagating to the kernel and impacting audited
+processes.
++
+--
+The possible values are:
+
+- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or
+falls back to the `userspace` strategy.
+- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's
+audit framework to 0. This causes events to be discarded in the kernel if
+the audit backlog queue fills to capacity. Requires a 3.14 kernel or
+newer.
+- `userspace`: {beatname_uc} drops events when there is backpressure
+from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate
+limit of 5000. Users should test their setup and adjust the `rate_limit`
+option accordingly.
+- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same
+time.
+- `none`: No backpressure mitigation measures are enabled.
+--
+
 [float]
 === Audit rules