Hi,
I could see following event logged continuously on messages log. I am using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
auditd[10959]: dispatch err (pipe full) event lost
auditd[10959]: dispatch error reporting limit reached - ending report notification.
auditd[10959]: dispatch err (pipe full) event lost
à /etc/audit.rules has only following line
-b 256
à /etc/auditd.conf has following contents
log_file = /var/log/audit/audit.log
log_format = NOLOG
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 4
#dispatcher = /sbin/audispd
#disp_qos = lossy
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
dispatcher = /usr/sbin/SnareDispatchHelper
à /etc/snare.conf
Normal remote log collection server IP and other details.
Above setup working from last couple of months without any errors but all of sudden I could see above specified errors from last couple of days. Is there any bug in audit version or snare version?