Linux Audit Subsystem
Plugin: debugfs.plugin Module: audit
Overview
Monitors Linux kernel audit subsystem status via NETLINK_AUDIT. Tracks audit backlog depth, backlog utilization, lost events, and configuration (failure mode, enabled state). Critical for detecting audit backlog overflow conditions that cause kernel panics when failure mode is set to 2 (panic).
Query kernel audit status via NETLINK_AUDIT socket (AUDIT_GET)
This collector is only supported on the following platforms:
- Linux
This collector only supports collecting metrics from a single instance of this integration.
This integration requires root privileges or CAP_AUDIT_CONTROL capability to query the kernel audit subsystem via netlink. The Netdata installer grants this capability to debugfs.plugin automatically. The module detects missing privileges and disables itself gracefully.
Default Behavior
Auto-Detection
Automatically detects and monitors the Linux audit subsystem when the kernel supports NETLINK_AUDIT. Gracefully disables itself if audit is not available.
Limits
The default configuration for this integration does not impose any limits on data collection.
Performance Impact
Minimal. Performs a single netlink query per collection cycle. No file I/O, no process forking.
Setup
Prerequisites
Linux kernel with audit support
The Linux kernel must have audit support enabled (CONFIG_AUDIT=y). Most distribution kernels include this by default.
Configuration
Options
Config options
| Option | Description | Default | Required |
|---|---|---|---|
| update every | Data collection frequency. | 1 | no |
via File
The configuration file name for this integration is netdata.conf.
Configuration for this specific integration is located in the [plugin:debugfs] section within that file.
The file format is a modified INI syntax. The general structure is:
[section1]
option1 = some value
option2 = some other value
[section2]
option3 = some third value
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config netdata.conf
Examples
There are no configuration examples.
Alerts
The following alerts are available:
| Alert name | On metric | Description |
|---|---|---|
| audit_backlog_utilization | audit.backlog_utilization | Linux audit backlog utilization has exceeded the warning threshold while failure mode is set to panic. Kernel panic is imminent if backlog overflows. |
| audit_lost_events | audit.lost | Linux audit subsystem is losing events (backlog overflow, rate limiting, or memory pressure). |
Metrics
Metrics grouped by scope.
The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
Monitor the Linux kernel audit subsystem status and backlog health.
Per Linux Audit Subsystem instance
Audit subsystem status for the entire system.
This scope has no labels.
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| audit.backlog | used, free | events |
| audit.backlog_utilization | utilization | % |
| audit.lost | lost | events/s |
| audit.enabled | disabled, enabled, immutable | state |
| audit.failure | silent, printk, panic | state |
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.