Re: dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp)
Date: Fri, 13 Nov 2009 09:06:13 -0500	[thread overview]
Message-ID: <200911130906.14187.sgrubb@redhat.com> (raw)
In-Reply-To: <4A90605B9345DD489B4512A35AEB3A2804BB265C@nedexmb3.staplesams.com>

On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
> I could see following event logged continuously on messages log. I am
> using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
> 
> auditd[10959]: dispatch err (pipe full) event lost
> auditd[10959]: dispatch error reporting limit reached - ending report
> notification.
> auditd[10959]: dispatch err (pipe full) event lost

Sounds like the dispatcher is not taking events fast enough.
 
> --> /etc/audit.rules has only following line
> 
> -b 256

This would kind of indicate that you are only using the hardwired events from 
SE Linux, pam, and a few other apps. You shouldn't really be getting much 
traffic.

 
> Normal remote log collection server IP and other details.
> 
> Above setup working from last couple of months without any errors but
> all of sudden I could see above specified errors from last couple of
> days. Is there any bug in audit version or snare version?

1.0.16 has been stable for a very long time. You might see what kind of events 
you are getting. 

aureport --start this-week -e --summary -i  

Tracking down what events are suddenly showing up might help find the problem.

-Steve

next prev parent reply	other threads:[~2009-11-13 14:06 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-12 16:40 dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp) Rachamadagu, Vasu
2009-11-13 14:06 ` Steve Grubb [this message]
     [not found] <4A90605B9345DD489B4512A35AEB3A2804BB266A@nedexmb3.staplesams.com>
2009-11-13 14:39 ` dispatch err (pipe full) event lost - audit-1.0.16-4(2.6.9-67.0.4.ELsmp) Rachamadagu, Vasu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200911130906.14187.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.