How do I modify auditd configurations to prevent automatic instance stops caused by insufficient disk space? - Elastic Compute Service

0.0.201

Problem description

An Elastic Compute Service (ECS) instance occasionally experiences automatic stops even when no operations are performed. After you restart the instance, the instance runs for a period of time and then automatically stops again. Error messages similar to the following messages appear in the system log files such as /var/log/messages:

localhost auditd[607]: Audit daemon is low on disk space for logging 
localhost auditd[607]: The audit daemon is now halting the system

Cause

By default, the auditd service is enabled for ECS instances that run CentOS or RHEL operating systems. The auditd service writes a large number of audit log entries to the /var/log/audit/ directory while other services and applications continuously write data to disks. As a result, the disk space may become insufficient. You can configure auditd action parameters, such as space_left_action, admin_space_left_action, and disk_full_action, in the /etc/audit/auditd.conf configuration file to specify what action to take when the disk space is insufficient. If you set an auditd action parameter to halt, the auditd service triggers a system shutdown when the disk space is insufficient. As a result, the ECS instance is stopped.

Solution

Connect to the ECS instance.
For more information, see Connection method overview.
Run the following command to modify the auditd configuration file:
```
vi /etc/audit/auditd.conf
```
Change the values of the auditd action parameters that respond to insufficient disk space. The parameters include space_left_action, admin_space_left_action, and disk_full_action.
We recommend that you set the parameters to SUSPEND, which specifies that the auditd service stops writing audit log entries to the /var/log/audit/ directory when the disk space is insufficient.
```
space_left = 75
space_left_action = SUSPEND
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
```
Restart the auditd service for the new configurations to take effect.
```
systemctl restart auditd.service
```

Feedback

Previous: What do I do if I cannot extend a GPT partition on a disk by using the growpart utility after the disk is extended?Next: What do I do if an error occurs when a file system is mounted or when data is read from a file system?

On this page （1, T）

Problem description

Cause

Solution

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Lingma

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)