How to tell if auditd has suspended logging?

If you put the following in your auditd.conf, auditd will suspend logging when you have 50MB or less space on your disk:

admin_space_left = 50
admin_space_left_action = SUSPEND

How can an external program, e.g. a monit check, know if auditd has reached this suspended state?

(I realize that you can also use the EXEC action to do something when auditd suspends logging but that does not suit my purposes.)

On a CentOS system I have to hand the, what to do when various disk space limitations are met is structured ...

space_left = 75
space_left_action = SYSLOG
admin_space_left = 74
admin_space_left_action = SUSPEND

This causes this message to be issued to syslog when free space on the partition housing the audit log goes below 75MB

May 21 08:53:01 c6test auditd[5851]: Audit daemon is low on disk space for logging

Similarly when space goes below 74MB this message is issued to syslog

May 21 08:54:01 c6test auditd[5851]: Audit daemon is suspending logging due to low disk space.

So to answer your question, it writes a message to syslog which then finds it's way into your system logs so monit can be configured to look for it.

What the actual message is and which log file it gets written to is likely to be dependent upon OS and/or distro.

Looking at the source code (in version 2.6.7), there is no way to retrieve the current "suspended" state other than attaching a debugger to the process and make it dump the value of the logging_suspended internal variable.

You could send a test message and check that it gets logged though. That way, you'd check for the suspended condition but also for anything that prevents logging from happening. That is, you'd validate that it works properly all the way through.

msg="audit test $(uuidgen)" || exit # generate unique message
auditctl -m "$msg" || exit # send the unique message
sleep 1 # enough time for the message to be logged
ausearch -ts recent -m USER | grep -Fqe "$msg" && echo OK