From 09636605c1d210eb41c062d02971fba21536cbcc Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Thu, 12 Jul 2018 16:11:49 +0200 Subject: [PATCH] Auditd: Document the backpressure_strategy option (#7157) Added documentation for the `backpressure_strategy` option on the auditd module. --- auditbeat/docs/modules/auditd.asciidoc | 25 ++++++++++++++++++++- auditbeat/module/auditd/_meta/docs.asciidoc | 25 ++++++++++++++++++++- 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/auditbeat/docs/modules/auditd.asciidoc b/auditbeat/docs/modules/auditd.asciidoc index cbfae02768c..8c003db1085 100644 --- a/auditbeat/docs/modules/auditd.asciidoc +++ b/auditbeat/docs/modules/auditd.asciidoc @@ -79,10 +79,11 @@ following example shows all configuration options with their default values. - module: auditd resolve_ids: true failure_mode: silent - backlog_limit: 8196 + backlog_limit: 8192 rate_limit: 0 include_raw_message: false include_warnings: false + backpressure_strategy: auto ---- *`socket_type`*:: This optional setting controls the type of @@ -146,6 +147,28 @@ loaded after the rules declared in `audit_rules` are loaded. Wildcards are supported and will expand in lexicographical order. The format is the same as that of the `audit_rules` field. +*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to +prevent backpressure from propagating to the kernel and impacting audited +processes. ++ +-- +The possible values are: + +- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or +falls back to the `userspace` strategy. +- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's +audit framework to 0. This causes events to be discarded in the kernel if +the audit backlog queue fills to capacity. Requires a 3.14 kernel or +newer. +- `userspace`: {beatname_uc} drops events when there is backpressure +from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate +limit of 5000. Users should test their setup and adjust the `rate_limit` +option accordingly. +- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same +time. +- `none`: No backpressure mitigation measures are enabled. +-- + [float] === Audit rules diff --git a/auditbeat/module/auditd/_meta/docs.asciidoc b/auditbeat/module/auditd/_meta/docs.asciidoc index 1561ac6186b..9475f0511da 100644 --- a/auditbeat/module/auditd/_meta/docs.asciidoc +++ b/auditbeat/module/auditd/_meta/docs.asciidoc @@ -74,10 +74,11 @@ following example shows all configuration options with their default values. - module: auditd resolve_ids: true failure_mode: silent - backlog_limit: 8196 + backlog_limit: 8192 rate_limit: 0 include_raw_message: false include_warnings: false + backpressure_strategy: auto ---- *`socket_type`*:: This optional setting controls the type of @@ -141,6 +142,28 @@ loaded after the rules declared in `audit_rules` are loaded. Wildcards are supported and will expand in lexicographical order. The format is the same as that of the `audit_rules` field. +*`backpressure_strategy`*:: Specifies the strategy that {beatname_uc} uses to +prevent backpressure from propagating to the kernel and impacting audited +processes. ++ +-- +The possible values are: + +- `auto` (default): {beatname_uc} uses the `kernel` strategy, if supported, or +falls back to the `userspace` strategy. +- `kernel`: {beatname_uc} sets the `backlog_wait_time` in the kernel's +audit framework to 0. This causes events to be discarded in the kernel if +the audit backlog queue fills to capacity. Requires a 3.14 kernel or +newer. +- `userspace`: {beatname_uc} drops events when there is backpressure +from the publishing pipeline. If no `rate_limit` is set, {beatname_uc} sets a rate +limit of 5000. Users should test their setup and adjust the `rate_limit` +option accordingly. +- `both`: {beatname_uc} uses the `kernel` and `userspace` strategies at the same +time. +- `none`: No backpressure mitigation measures are enabled. +-- + [float] === Audit rules