AUDIT_RESET_BACKLOG_WAIT_TIME_ACTUAL(3) Linux Audit API AUDIT_RESET_BACKLOG_WAIT_TIME_ACTUAL(3)

audit_reset_backlog_wait_time_actual - reset backlog wait time actual counter

#include <libaudit.h>

int audit_reset_backlog_wait_time_actual(int fd);

audit_reset_backlog_wait_time_actual() resets the kernel's running total of how long system calls have waited for space in the audit event queue. The fd must be an open audit netlink socket. This call is useful when administrators enable backlog waiting via the audit_set_backlog_wait_time(3) option to preserve events in tight memory situations. Periodically clearing the counter allows detection of renewed backlog waiting after changing the queue size or wait time. The kernel must support the AUDIT_STATUS_BACKLOG_WAIT_TIME_ACTUAL field for this call to succeed.

The return value is <= 0 on error, otherwise it is the netlink sequence id number.

audit_set_backlog_wait_time(3), audit_open(3), auditctl(8).

Steve Grubb

July 2025 Red Hat