dispatch err (pipe full) event lost - audit-1.0.16-4(2.6.9-67.0.4.ELsmp)
Rachamadagu, Vasu
Vasu.Rachamadagu at staples.com
Fri Nov 13 14:39:02 UTC 2009
Thank you Steve.
But it shows no events found. I have verified with snare remote server
(destination) for the logs and they are saying that getting logs +
dispatch error messages. Is there any way to fix these errors?
aureport --start this-week -e --summary -i
Event Summary Report
======================
total type
======================
<no events of interest were found>
Regards,
Vasu
-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Steve Grubb
Sent: Friday, November 13, 2009 9:06 AM
To: linux-audit at redhat.com
Subject: Re: dispatch err (pipe full) event lost -
audit-1.0.16-4(2.6.9-67.0.4.ELsmp)
On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
> I could see following event logged continuously on messages log. I am
> using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
>
> auditd[10959]: dispatch err (pipe full) event lost
> auditd[10959]: dispatch error reporting limit reached - ending report
> notification.
> auditd[10959]: dispatch err (pipe full) event lost
Sounds like the dispatcher is not taking events fast enough.
> --> /etc/audit.rules has only following line
>
> -b 256
This would kind of indicate that you are only using the hardwired events
from
SE Linux, pam, and a few other apps. You shouldn't really be getting
much
traffic.
> Normal remote log collection server IP and other details.
>
> Above setup working from last couple of months without any errors but
> all of sudden I could see above specified errors from last couple of
> days. Is there any bug in audit version or snare version?
1.0.16 has been stable for a very long time. You might see what kind of
events
you are getting.
aureport --start this-week -e --summary -i
Tracking down what events are suddenly showing up might help find the
problem.
-Steve
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list