Re: dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp)
On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
I could see following event logged continuously on messages log. I
am
using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
auditd[10959]: dispatch err (pipe full) event lost
auditd[10959]: dispatch error reporting limit reached - ending report
notification.
auditd[10959]: dispatch err (pipe full) event lost
Sounds like the dispatcher is not taking events fast enough.
--> /etc/audit.rules has only following line
-b 256
This would kind of indicate that you are only using the hardwired events from
SE Linux, pam, and a few other apps. You shouldn't really be getting much
traffic.
Normal remote log collection server IP and other details.
Above setup working from last couple of months without any errors but
all of sudden I could see above specified errors from last couple of
days. Is there any bug in audit version or snare version?
1.0.16 has been stable for a very long time. You might see what kind of events
you are getting.
aureport --start this-week -e --summary -i
Tracking down what events are suddenly showing up might help find the problem.
-Steve