Hi everyone, I work in an environment with Internet-isolated networks.
I am having a problem that presents the following in /var/log/messages:
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch err (pipe full) event lost
*auditd[787]: *dispatch error reporting limit reached - ending report
notification
While tailing the /var/log/audit/audit.log I notice a high volume of data
pouring into the file; looked like it was tied to the same "keyed" audit
rule, so I commented out all of the rules associated with that -k "key."
I restarted the audit daemon, and continued to monitor the
/var/log/audit/audit.log; and the speed at which records were pouring in
was drastically reduced; however, /var/log/messages is still reporting the
same dispatch errors.
The rules that are pegging audit.log (and forcing it to roll over every 2
minutes at a size of 36MB) were commented out, and /usr/sbin/ntpd (I think
through the adjtimex syscall) is what is now the more recent culprit.
Any suggestions on how to resolve this problem?
--------------------------
Warron French