Question:
There are some unusual messages on the MTP screen and we can now longer access the server. What can we do ?
Answer:
As stable as a MTP is, it may crash still and you see this kind of errors:
audit: backlog limit exceeded
audit: audit_backlog=321 > audit_backlog_limit=320
printk: 2 messages suppressed.
audit_backlog=321 > audit_backlog_limit=320
audit: audit_lost=1117 audit_rate_limit=0 audit_backlog_limit=320
The MTP may still respond to pings, but the graphic interface will no longer be accessible.
This is a Linux issue.
Use root credentials or sudo before the commands below and do the following:
1. Reboot the server to make it accessible.
2. As soon as it reboots and we have access to the OS, then run this command :
vim /etc/audit/rules.d/audit.rules
3. Press the i key to access insert mode.
4. Go down to where it says -b 320
5. Using your keyboard, change the 320 to 1892.
6. Press the Esc key.
7. Then type :wq
By now, you should be able to get the MTP operational.
There is still a need to figure out what is flooding the audit log.
Run these commands (without the quotes) :
"aureport --start today"
or
"aureport --start today --event --summary -i"
and try to find some hints of what happened.
Additional Information:
1. Server locking up, /var/log/messages reports “backlog limit exceeded”