auditdistd: Sandbox process exited ungracefully

[dvl@]

I am seeing these messages every 30 seconds or so on FreeBSD 12.* hosts (The original post said 'and 11.2/3' but that has since been resolved: it was a server issue we have since resolved).

Dec 18 21:19:29 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=10469, exitcode=75).
Dec 18 21:19:50 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=11170, exitcode=75).
Dec 18 21:20:40 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=85400, exitcode=75).
Dec 18 21:21:21 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=92601, exitcode=75).

I don't know why. I'd like to resolve it.

First, is anyone else seeing this? From what I can tell, we are getting it on every host.

Client configuration is:

[dvl@dvl:~] $ grep auditdistd /etc/rc.conf
auditdistd_enable="YES"

[dvl@dvl:~] $ sudo cat /etc/security/auditdistd.conf
sender {
    host "audit.example.org" {
        remote "tls://10.0.0.23"
        fingerprint "SHA256=[redacted]"
        password "[redacted]"
    }
}

Server configuration is:

[dvl@audit:~] $ sudo cat /etc/security/auditdistd-receiver.conf
receiver {
   host "dvl" { remote "tls://10.0.0.2" password "[redacted]" }
   ... other hosts
}

Ideas please?

 

[Sparkee]

I'm also interested about this

 

[tingo]

buffer / memory / disk overflow?

 

[dvl@]

> buffer / memory / disk overflow?

It's not memory or disk overflow. This occurs on many servers. Checking a server just now, it has multiple GB RAM free and plenty of disk.

buffer overflow?

I just checked a host. There is nothing happening on it. It's 0.02 load avg. Yet, that message repeats, sometimes as often as every 20 seconds. I know I'm not providing anything helpful here.

 

[dvl@]

Here is an example from one host:

$ sudo ps auwwx | grep auditdistd
auditdistd  2319    0.0  0.0   16048    6820  -  SCJ  21:51        0:00.00 auditdistd: [TLS sandbox] (client)  (auditdistd)
root       85702    0.0  0.0   15372    4196  -  Ss   Thu20        0:01.42 /usr/sbin/auditdistd
auditdistd 85837    0.0  0.0   21548    5204  -  SCJ  Thu20        0:39.91 auditdistd: [audit01.example.com] (sender)  (auditdistd)
dvl         2767    0.0  0.0   11272    2748  1  S+   21:51        0:00.00 grep auditdistd

I then tail the log, and I soon see:

Jan  3 21:51:49 foo-01prd auditdistd[85702]: Sandbox process exited ungracefully (pid=2319, exitcode=75).

That's the process which was running above.

 

[dvl@]

Perhaps related PR 240762

 

[dvl@]

Confirmed, we believe the PR is exactly the issue we are seeing.