fix(agent): filter false events lost from go-libaudit sequence rollover

yllada · yllada · commit 272d2fa6dba6 · 2026-03-30T11:52:27.000-04:00
diff --git a/agent/collector/auditd/stream.go b/agent/collector/auditd/stream.go
@@ -12,7 +12,11 @@ import (
 
 const (
 	// eventsLostThreshold - only log when this many events are lost at once.
+	// Small losses (1-10) are normal under high load and not worth logging.
 	eventsLostThreshold = 50
+
+	// eventsLostMaxReasonable is the maximum "reasonable" number of lost events.
+	eventsLostMaxReasonable = 1000000
 )
 
 // eventStream implements libaudit.Stream interface for reassembled events
@@ -59,10 +63,12 @@ func (s *eventStream) ReassemblyComplete(msgs []*auparse.AuditMessage) {
 	}
 }
 
-// EventsLost is called when events were lost due to buffer overflow
+// EventsLost is called when events were lost due to buffer overflow or rate limiting.
+// We filter these out by checking against a reasonable maximum.
 func (s *eventStream) EventsLost(count int) {
-	if count < eventsLostThreshold {
+	// Filter out unreasonable values caused by sequence number rollover bug
+	if count < eventsLostThreshold || count > eventsLostMaxReasonable {
 		return
 	}
-	utils.Logger.ErrorF("auditd: %d events lost due to buffer overflow", count)
+	utils.Logger.ErrorF("auditd: %d events lost due to buffer overflow or rate limiting", count)
 }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,11 @@ import (`
`12`	`12`
`13`	`13`	`const (`
`14`	`14`	`// eventsLostThreshold - only log when this many events are lost at once.`
	`15`	`+ // Small losses (1-10) are normal under high load and not worth logging.`
`15`	`16`	`eventsLostThreshold = 50`
	`17`	`+`
	`18`	`+ // eventsLostMaxReasonable is the maximum "reasonable" number of lost events.`
	`19`	`+ eventsLostMaxReasonable = 1000000`
`16`	`20`	`)`
`17`	`21`
`18`	`22`	`// eventStream implements libaudit.Stream interface for reassembled events`
`@@ -59,10 +63,12 @@ func (s eventStream) ReassemblyComplete(msgs []auparse.AuditMessage) {`
`59`	`63`	`}`
`60`	`64`	`}`
`61`	`65`
`62`		`-// EventsLost is called when events were lost due to buffer overflow`
	`66`	`+// EventsLost is called when events were lost due to buffer overflow or rate limiting.`
	`67`	`+// We filter these out by checking against a reasonable maximum.`
`63`	`68`	`func (s *eventStream) EventsLost(count int) {`
`64`		`- if count < eventsLostThreshold {`
	`69`	`+ // Filter out unreasonable values caused by sequence number rollover bug`
	`70`	`+ if count < eventsLostThreshold \|\| count > eventsLostMaxReasonable {`
`65`	`71`	`return`
`66`	`72`	`}`
`67`		`- utils.Logger.ErrorF("auditd: %d events lost due to buffer overflow", count)`
	`73`	`+ utils.Logger.ErrorF("auditd: %d events lost due to buffer overflow or rate limiting", count)`
`68`	`74`	`}`