[202411]Ignore audit rate limit exceeded syslog and avoid false alert for kernel syslog#19134
Merged
StormLiangMS merged 1 commit intosonic-net:202411from Jun 24, 2025
Conversation
…rnel syslog Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
sdszhang
pushed a commit
to sdszhang/sonic-mgmt
that referenced
this pull request
Jun 30, 2025
Code sync sonic-net/sonic-mgmt:202411 => 202412 ``` * 760eb7c (HEAD -> code-sync-202412, origin/code-sync-202412) r12f 250624:1905 - Merge remote-tracking branch 'base/202411' into code-sync-202412 |\ | * 2e3c1ba (base/202411) zitingguo-ms 250623:2336 - [test_dynamic_acl] Include all upstream neighbors for t0-d18u8s4 (sonic-net#19052) | * 0c75f5a zitingguo-ms 250623:2335 - [test_bgp_session] Increase timeout to wait hold-timer (sonic-net#18891) | * 75d1ac7 Zhaohui Sun 250624:1432 - [202411]Ignore audit rate limit exceeded and avoid false alert for kernel syslog (sonic-net#19134) | * 88304be Sai Kiran 250528:1155 - [fib_test] Updated deprecated imports that break in Python 3.10+ (sonic-net#18544) ```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…rnel syslog
Description of PR
Summary:
Fixes # (issue)
Cherry pick #19110 into 202411
2025 Jun 14 02:28:46.206949 str2-8101-05 ERR kernel: [17800.425621] audit: rate limit exceededThis syslog was caused by setting rate limit and many audit syslog exceed the rate limit. Due to security, we enable audit syslog, but in some sonic-mgmt cases, it enables rate limit, so many audit syslogs could exceed the rate limit and it will print out this error.
Confirmed with feature owner, we can ignore this error syslog to avoid teardown error for many cases.
2025 Jun 12 05:51:29.810090 str2-7050cx3-acs-01 NOTICE kernel: [16041.304670] audit: type=1300 audit(1749707485.287:111698): arch=c000003e syscall=59 success=yes exit=0 a0=7f11c7911010 a1=560342061e40 a2=7ffee6493a08 a3=0 items=2 ppid=265359 pid=265360 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21 comm="kill" exe="/usr/bin/kill" subj=unconfined key="process_audit""The syslog above is NOTICE level, but it matched the regex pattern
"kernel:.*kill"intests/common/plugins/loganalyzer/loganalyzer_common_match.txt.Need to add a new ignore pattern to avoid this false alert.
Type of change
Back port request
Approach
What is the motivation for this PR?
Cherry pick #19110 into 202411
How did you do it?
How did you verify/test it?
Any platform specific information?
Supported testbed topology if it's a new test case?
Documentation