# auditdistd: Sandbox process exited ungracefully



## dvl@ (Dec 18, 2019)

I am seeing these messages every 30 seconds or so on FreeBSD 12.* hosts (The original post said 'and 11.2/3' but that has since been resolved: it was a server issue we have since resolved).


```
Dec 18 21:19:29 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=10469, exitcode=75).
Dec 18 21:19:50 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=11170, exitcode=75).
Dec 18 21:20:40 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=85400, exitcode=75).
Dec 18 21:21:21 dvl auditdistd[86033]: Sandbox process exited ungracefully (pid=92601, exitcode=75).
```

I don't know why. I'd like to resolve it.

First, is anyone else seeing this? From what I can tell, we are getting it on every host.

Client configuration is:


```
[dvl@dvl:~] $ grep auditdistd /etc/rc.conf
auditdistd_enable="YES"
```


```
[dvl@dvl:~] $ sudo cat /etc/security/auditdistd.conf
sender {
    host "audit.example.org" {
        remote "tls://10.0.0.23"
        fingerprint "SHA256=[redacted]"
        password "[redacted]"
    }
}
```

Server configuration is:


```
[dvl@audit:~] $ sudo cat /etc/security/auditdistd-receiver.conf
receiver {
   host "dvl" { remote "tls://10.0.0.2" password "[redacted]" }
   ... other hosts
}
```

Ideas please?


----------



## Sparkee (Jan 3, 2020)

I'm also interested about this


----------



## tingo (Jan 3, 2020)

buffer / memory / disk overflow?


----------



## dvl@ (Jan 3, 2020)

> buffer / memory / disk overflow?

It's not memory or disk overflow.  This occurs on many servers. Checking a server just now, it has multiple GB RAM free and plenty of disk.

buffer overflow?

I just checked a host. There is nothing happening on it. It's 0.02 load avg. Yet, that message repeats, sometimes as often as every 20 seconds.  I know I'm not providing anything helpful here.


----------



## dvl@ (Jan 3, 2020)

Here is an example from one host:


```
$ sudo ps auwwx | grep auditdistd
auditdistd  2319    0.0  0.0   16048    6820  -  SCJ  21:51        0:00.00 auditdistd: [TLS sandbox] (client)  (auditdistd)
root       85702    0.0  0.0   15372    4196  -  Ss   Thu20        0:01.42 /usr/sbin/auditdistd
auditdistd 85837    0.0  0.0   21548    5204  -  SCJ  Thu20        0:39.91 auditdistd: [audit01.example.com] (sender)  (auditdistd)
dvl         2767    0.0  0.0   11272    2748  1  S+   21:51        0:00.00 grep auditdistd
```

I then tail the log, and I soon see:


```
Jan  3 21:51:49 foo-01prd auditdistd[85702]: Sandbox process exited ungracefully (pid=2319, exitcode=75).
```

That's the process which was running above.


----------



## dvl@ (Jan 15, 2020)

Perhaps related PR 240762


----------



## dvl@ (Jan 15, 2020)

Confirmed, we believe the PR is exactly the issue we are seeing.


----------

