I am trying to run the Linux audit system in a nested Virtual machine on the google cloud engine. The problem I am facing is that the Linux Audit System suspends after showing the following error after a few minutes when I view the auditd status.
----------------------------------------------------------------------------------------------------
16:53:42 fuzzer-VirtualBox auditd[294]: Audit daemon has no space left on logging partition
16:53:42 fuzzer-VirtualBox auditd[294]: Audit daemon is suspending logging due to no space left on logging partition
----------------------------------------------------------------------------------------------------
I checked using the df -h command and found out that there were around 6GB of free space on the logging partition so I did not understand why this error is occurring. Can you provide me a solution? Could this be because of nested virtualization?
----------------------------------------------------------------------------------------------------
#
# This file controls the configuration of the audit daemon
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = adm
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 24
num_logs = 50
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = keep_logs
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
----------------------------------------------------------------------------------------------------
Below are my parameters in audit.rules file:
----------------------------------------------------------------------------------------------------
## First rule - delete all
-D
## Buffer size
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 0
## Set failure mode to syslog
-f 1
----------------------------------------------------------------------------------------------------