# Alerts for the Linux audit subsystem.
# Monitors audit backlog utilization relative to failure mode,
# and detects audit event loss.

# Alert when audit backlog is filling up AND failure mode is panic (2).
# This combination means the system will kernel panic if the backlog overflows.
# Only fires when failure=2 (panic mode) — for other failure modes,
# audit_lost_events covers actual event loss.

 template: audit_backlog_utilization
       on: audit.backlog_utilization
    class: Utilization
     type: System
component: Audit
   lookup: max -1m unaligned of utilization
    units: %
    every: 10s
     warn: $this > 50 AND $audit.failure.panic == 1
     crit: $this > 80 AND $audit.failure.panic == 1
    delay: down 5m multiplier 1.5 max 1h
  summary: Audit backlog utilization (kernel panic risk)
     info: Linux audit backlog is filling up while failure mode is set to panic — kernel panic is imminent if backlog overflows
       to: sysadmin

# Alert when audit events are being lost (dropped).
# This indicates the audit subsystem cannot keep up with event volume.

 template: audit_lost_events
       on: audit.lost
    class: Errors
     type: System
component: Audit
   lookup: max -1m unaligned of lost
    units: events/s
    every: 10s
     warn: $this > 0
    delay: down 5m multiplier 1.5 max 1h
  summary: Audit subsystem losing events
     info: Linux audit subsystem is losing events (backlog overflow, rate limiting, or memory pressure)
       to: sysadmin