dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp)
Steve Grubb
sgrubb at redhat.com
Fri Nov 13 14:06:13 UTC 2009
On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
> I could see following event logged continuously on messages log. I am
> using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
>
> auditd[10959]: dispatch err (pipe full) event lost
> auditd[10959]: dispatch error reporting limit reached - ending report
> notification.
> auditd[10959]: dispatch err (pipe full) event lost
Sounds like the dispatcher is not taking events fast enough.
> --> /etc/audit.rules has only following line
>
> -b 256
This would kind of indicate that you are only using the hardwired events from
SE Linux, pam, and a few other apps. You shouldn't really be getting much
traffic.
> Normal remote log collection server IP and other details.
>
> Above setup working from last couple of months without any errors but
> all of sudden I could see above specified errors from last couple of
> days. Is there any bug in audit version or snare version?
1.0.16 has been stable for a very long time. You might see what kind of events
you are getting.
aureport --start this-week -e --summary -i
Tracking down what events are suddenly showing up might help find the problem.
-Steve
More information about the Linux-audit
mailing list