Hi everyone, I work in an environment with Internet-isolated networks.

I am having a problem that presents the following in /var/log/messages:
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch error reporting limit reached - ending report notification

While tailing the /var/log/audit/audit.log I notice a high volume of data pouring into the file; looked like it was tied to the same "keyed" audit rule, so I commented out all of the rules associated with that -k "key."

I restarted the audit daemon, and continued to monitor the /var/log/audit/audit.log; and the speed at which records were pouring in was drastically reduced; however, /var/log/messages is still reporting the same dispatch errors.

The rules that are pegging audit.log (and forcing it to roll over every 2 minutes at a size of 36MB) were commented out, and /usr/sbin/ntpd (I think through the adjtimex syscall) is what is now the more recent culprit.

Any suggestions on how to resolve this problem?

--------------------------
Warron French