dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp)
Rachamadagu, Vasu
Vasu.Rachamadagu at staples.com
Thu Nov 12 16:40:58 UTC 2009
Hi,
I could see following event logged continuously on messages log. I am
using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
auditd[10959]: dispatch err (pipe full) event lost
auditd[10959]: dispatch error reporting limit reached - ending report
notification.
auditd[10959]: dispatch err (pipe full) event lost
--> /etc/audit.rules has only following line
-b 256
--> /etc/auditd.conf has following contents
log_file = /var/log/audit/audit.log
log_format = NOLOG
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 4
#dispatcher = /sbin/audispd
#disp_qos = lossy
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
dispatcher = /usr/sbin/SnareDispatchHelper
--> /etc/snare.conf
Normal remote log collection server IP and other details.
Above setup working from last couple of months without any errors but
all of sudden I could see above specified errors from last couple of
days. Is there any bug in audit version or snare version?
Regards,
Vasu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20091112/c1b892e3/attachment.htm>
More information about the Linux-audit
mailing list