dispatch err (pipe full) event lost - audit-1.0.16-4(2.6.9-67.0.4.ELsmp)

Rachamadagu, Vasu Vasu.Rachamadagu at staples.com
Fri Nov 13 14:39:02 UTC 2009 

Thank you Steve.

But it shows no events found. I have verified with snare remote server
(destination) for the logs and they are saying that getting logs +
dispatch error messages. Is there any way to fix these errors?


aureport --start this-week -e --summary -i

Event Summary Report
======================
total  type
======================
<no events of interest were found>


Regards,
Vasu


-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Steve Grubb
Sent: Friday, November 13, 2009 9:06 AM
To: linux-audit at redhat.com
Subject: Re: dispatch err (pipe full) event lost -
audit-1.0.16-4(2.6.9-67.0.4.ELsmp)

On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
> I could see following event logged continuously on messages log. I am
> using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
> 
> auditd[10959]: dispatch err (pipe full) event lost
> auditd[10959]: dispatch error reporting limit reached - ending report
> notification.
> auditd[10959]: dispatch err (pipe full) event lost

Sounds like the dispatcher is not taking events fast enough.
 
> --> /etc/audit.rules has only following line
> 
> -b 256

This would kind of indicate that you are only using the hardwired events
from 
SE Linux, pam, and a few other apps. You shouldn't really be getting
much 
traffic.

 
> Normal remote log collection server IP and other details.
> 
> Above setup working from last couple of months without any errors but
> all of sudden I could see above specified errors from last couple of
> days. Is there any bug in audit version or snare version?

1.0.16 has been stable for a very long time. You might see what kind of
events 
you are getting. 

aureport --start this-week -e --summary -i  

Tracking down what events are suddenly showing up might help find the
problem.

-Steve

--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list