From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: dispatch err (pipe full) event lost - audit-1.0.16-4
	(2.6.9-67.0.4.ELsmp)
Date: Fri, 13 Nov 2009 09:06:13 -0500
Message-ID: <200911130906.14187.sgrubb@redhat.com>
References: <4A90605B9345DD489B4512A35AEB3A2804BB265C@nedexmb3.staplesams.com>
Mime-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-11-158.rdu.redhat.com [10.11.11.158])
	by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id nADE6clC017222
	for <linux-audit@redhat.com>; Fri, 13 Nov 2009 09:06:39 -0500
In-Reply-To: <4A90605B9345DD489B4512A35AEB3A2804BB265C@nedexmb3.staplesams.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
> I could see following event logged continuously on messages log. I am
> using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
> 
> auditd[10959]: dispatch err (pipe full) event lost
> auditd[10959]: dispatch error reporting limit reached - ending report
> notification.
> auditd[10959]: dispatch err (pipe full) event lost

Sounds like the dispatcher is not taking events fast enough.
 
> --> /etc/audit.rules has only following line
> 
> -b 256

This would kind of indicate that you are only using the hardwired events from 
SE Linux, pam, and a few other apps. You shouldn't really be getting much 
traffic.

 
> Normal remote log collection server IP and other details.
> 
> Above setup working from last couple of months without any errors but
> all of sudden I could see above specified errors from last couple of
> days. Is there any bug in audit version or snare version?

1.0.16 has been stable for a very long time. You might see what kind of events 
you are getting. 

aureport --start this-week -e --summary -i  

Tracking down what events are suddenly showing up might help find the problem.

-Steve