Audit daemon- The culprit

It is observed that if your Linux machine stops responding to any application the cause may be the audit daemon running on your system. But it can be only concluded if your /var/log/messages displays the audit daemon as culprit. The /var/log/messages normally shows messages like
May 16 10:40:01 test-server audbin[848]: threshold 20.00 exceeded for filesystem /var/log/audit.d/. - free blocks down to 19.96%
May 16 10:40:01 test-server auditd[3706]: Notify command /usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% exited with status 1
May 16 10:40:01 test-server auditd[3706]: output errorMay 16 10:40:01 test-server auditd[3706]: output error
May 16 10:40:01 test-server auditd[3706]: output error; suspending execution

In this case the problem is the audit daemon setting in the file /etc/audit/audit.conf

Normally the file looks like this
mode = bin;
num-files = 4;
file-size = 20M;
file-name = "/var/log/audit.d/bin";
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%";# AUDBIN THRESHOLDS:# The above notify will cause auditd to enter 'suspend' mode when
# free space on the /var/ filesystem falls below 20%.
# To take remedial action, eg. moving the oldest save file to /backup, use:
# notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% -N 'mv -f %f /backup'";
# or even
# notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20% -N 'rm -f %f'";
# This will free space by removing the oldest "save." files first from /var,# returning 0 to auditd and allowing it to continue.


Now as per the above file the audit daemon gets suspended once the /var filesystem available space goes below 20 %

So we need to enable the last option of deleting the audit log file once the /var filesystem available space goes below 20 %
This can be done by commenting the first notify line and uncommenting the last notify line. The explanation in the file says it all