Audispd seems to hit a memory leak when auditd is configured with node/machine field set to 'user', but no 'name' option is set, and restarted. Specify in the auditd.conf 'user' as the 'name_format' like this: ... name_format = user ## name = mydomain <-- leave this commented out ... Now when you restart the audtid service, the audispd will eat almost all memory and CPU within a seconds: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 16779 95.5 91.0 3016852 1889512 ? S<sl 15:51 0:06 /sbin/audispd Tail of the /var/log/messages showing the auditd restart: ... Mar 10 16:01:22 dhcp-lab-118 auditd[16822]: The audit daemon is exiting. Mar 10 16:01:22 dhcp-lab-118 kernel: audit(1205161282.054:2629): audit_pid=0 old=16822 by auid=0 subj=root:system_r:auditd_t:s0 Mar 10 16:01:22 dhcp-lab-118 auditd[16887]: Started dispatcher: /sbin/audispd pid: 16889 Mar 10 16:01:22 dhcp-lab-118 auditd[16887]: User defined name missing Mar 10 16:01:22 dhcp-lab-118 auditd[16887]: The audit daemon is exiting. Mar 10 16:01:22 dhcp-lab-118 kernel: audit(1205161282.195:2630): audit_pid=0 old=0 by auid=0 subj=root:system_r:auditd_t:s0 Mar 10 16:01:22 dhcp-lab-118 audispd: af_unix plugin initialized Mar 10 16:01:22 dhcp-lab-118 audispd: audispd initialized with q_depth=64 and 1 active plugins Mar 10 16:01:22 dhcp-lab-118 auditd: Cannot daemonize (Success) Mar 10 16:01:22 dhcp-lab-118 auditd: The audit daemon is exiting. Mar 10 16:01:22 dhcp-lab-118 kernel: audit(1205161282.205:2631): audit_backlog_limit=320 old=320 by auid=0 subj=root:system_r:auditctl_t:s0 res=1
It would appear that the audisp program, should have exited. Which package are you testing against?
The package version is audit-1.6.5-3.el5. And maybe I should note that the audispd.conf is not changed/default: ... q_depth = 64 overflow_action = SYSLOG name_format = HOSTNAME #name = mydomain
This is a duplicate of bz435329. The problem is a failure to detect end of file which loops quickly allocating lots of memory. *** This bug has been marked as a duplicate of 435329 ***