I'm attempting to override the journald RateLimitIntervalSec and RateLimitBurst options which are currently too low for auditd service resulting in message drops.
It's not possible to modify the main config file: /etc/systemd/journald.conf. Instead I'm using a drop -in file to override these values:
# cat /usr/lib/systemd/journald.conf.d/journal.audit.conf
[Journal]
ForwardToSyslog = yes
RateLimitIntervalSec=3s
RateLimitBurst=10
This seems to work fine on most servers, but on at least one the overrides don't seem to be taking effect. I'd like to check what the runtime value of either of the two parameters is, and where they have been loaded from. I've checked the directories listed in the journald.conf documentation, and there are no other drop-in files overriding these parameters.
Neither: systemctl cat systemd-journald nor systemctl show systemd-journald, show this information.
Any suggestions what other command to use, or alternatively what else to check?
In case it matters, the issue was seen on a RHEL 7 host running systemd: 219.
On a separate note it seems the RateLimit* parameters aren't honoured for messages forwarded to syslog. Is that expected behaviour?
