Thank you Steve. But it shows no events found. I have verified with snare remote server (destination) for the logs and they are saying that getting logs + dispatch error messages. Is there any way to fix these errors? aureport --start this-week -e --summary -i Event Summary Report ====================== total type ====================== <no events of interest were found> Regards, Vasu -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb Sent: Friday, November 13, 2009 9:06 AM To: linux-audit(a)redhat.com Subject: Re: dispatch err (pipe full) event lost - audit-1.0.16-4(2.6.9-67.0.4.ELsmp) On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote: Sounds like the dispatcher is not taking events fast enough. This would kind of indicate that you are only using the hardwired events from SE Linux, pam, and a few other apps. You shouldn't really be getting much traffic. 1.0.16 has been stable for a very long time. You might see what kind of events you are getting. aureport --start this-week -e --summary -i Tracking down what events are suddenly showing up might help find the problem. -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit