When having rules that monitor file system activity (such as OSPP or STIG rules tracking deletion, mode change, etc.), updating the system or deleting a high number of files in a row leads to getting the following error message:

Jul 11 09:07:07 vm-audit10 auditd[847]: Error receiving audit netlink packet (No buffer space available)
Jul 11 09:07:07 vm-audit10 auditd[847]: Error receiving audit netlink packet (No buffer space available)

This occurs despite having a large buffer (16384) and no other activity on the system.
The error messages are usually printed multiple times (as shown above) but there is nothing in dmesg that would indicate the audit buffer was full.
auditctl -s doesn't always report lost events.

Reproducer

Reproducing is very easy with the following setup:

1. Tune buffer to 16384 and add rules on "delete"

   -b 16384
   -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
   -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
   

2. Tune audit log file size to avoid rotations (rotations was leading to the error message in the past so it's better to rule that out as well)

   max_log_file = 64

3. Move /var/log/audit to a dedicated disk

   # mkfs.xfs /dev/vdb
   # echo "/dev/vdb /var/log/audit    xfs   defaults 0 0" >> /etc/fstab
   

4. Tune disk I/O for the dedicated disk to be slow
   In QEMU/KVM+libvirt, edit "VirtIO Disk2" XML and add iotune:

     <target dev="vdb" bus="virtio"/>
     <iotune>
       <total_bytes_sec>1000000</total_bytes_sec>
     </iotune>
   

5. Reboot
6. Install gcc package (which pulls some dependencies)

   # yum -y install gcc

Result

Error messages:

Jul 11 09:07:07 vm-audit10 auditd[847]: Error receiving audit netlink packet (No buffer space available)
Jul 11 09:07:07 vm-audit10 auditd[847]: Error receiving audit netlink packet (No buffer space available)