* dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp)
@ 2009-11-12 16:40 Rachamadagu, Vasu
2009-11-13 14:06 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Rachamadagu, Vasu @ 2009-11-12 16:40 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1194 bytes --]
Hi,
I could see following event logged continuously on messages log. I am
using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
auditd[10959]: dispatch err (pipe full) event lost
auditd[10959]: dispatch error reporting limit reached - ending report
notification.
auditd[10959]: dispatch err (pipe full) event lost
--> /etc/audit.rules has only following line
-b 256
--> /etc/auditd.conf has following contents
log_file = /var/log/audit/audit.log
log_format = NOLOG
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 4
#dispatcher = /sbin/audispd
#disp_qos = lossy
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
dispatcher = /usr/sbin/SnareDispatchHelper
--> /etc/snare.conf
Normal remote log collection server IP and other details.
Above setup working from last couple of months without any errors but
all of sudden I could see above specified errors from last couple of
days. Is there any bug in audit version or snare version?
Regards,
Vasu
[-- Attachment #1.2: Type: text/html, Size: 5959 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp)
2009-11-12 16:40 dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp) Rachamadagu, Vasu
@ 2009-11-13 14:06 ` Steve Grubb
0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2009-11-13 14:06 UTC (permalink / raw)
To: linux-audit
On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
> I could see following event logged continuously on messages log. I am
> using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
>
> auditd[10959]: dispatch err (pipe full) event lost
> auditd[10959]: dispatch error reporting limit reached - ending report
> notification.
> auditd[10959]: dispatch err (pipe full) event lost
Sounds like the dispatcher is not taking events fast enough.
> --> /etc/audit.rules has only following line
>
> -b 256
This would kind of indicate that you are only using the hardwired events from
SE Linux, pam, and a few other apps. You shouldn't really be getting much
traffic.
> Normal remote log collection server IP and other details.
>
> Above setup working from last couple of months without any errors but
> all of sudden I could see above specified errors from last couple of
> days. Is there any bug in audit version or snare version?
1.0.16 has been stable for a very long time. You might see what kind of events
you are getting.
aureport --start this-week -e --summary -i
Tracking down what events are suddenly showing up might help find the problem.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: dispatch err (pipe full) event lost - audit-1.0.16-4(2.6.9-67.0.4.ELsmp)
[not found] <4A90605B9345DD489B4512A35AEB3A2804BB266A@nedexmb3.staplesams.com>
@ 2009-11-13 14:39 ` Rachamadagu, Vasu
0 siblings, 0 replies; 3+ messages in thread
From: Rachamadagu, Vasu @ 2009-11-13 14:39 UTC (permalink / raw)
To: linux-audit
Thank you Steve.
But it shows no events found. I have verified with snare remote server
(destination) for the logs and they are saying that getting logs +
dispatch error messages. Is there any way to fix these errors?
aureport --start this-week -e --summary -i
Event Summary Report
======================
total type
======================
<no events of interest were found>
Regards,
Vasu
-----Original Message-----
From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Friday, November 13, 2009 9:06 AM
To: linux-audit@redhat.com
Subject: Re: dispatch err (pipe full) event lost -
audit-1.0.16-4(2.6.9-67.0.4.ELsmp)
On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote:
> I could see following event logged continuously on messages log. I am
> using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
>
> auditd[10959]: dispatch err (pipe full) event lost
> auditd[10959]: dispatch error reporting limit reached - ending report
> notification.
> auditd[10959]: dispatch err (pipe full) event lost
Sounds like the dispatcher is not taking events fast enough.
> --> /etc/audit.rules has only following line
>
> -b 256
This would kind of indicate that you are only using the hardwired events
from
SE Linux, pam, and a few other apps. You shouldn't really be getting
much
traffic.
> Normal remote log collection server IP and other details.
>
> Above setup working from last couple of months without any errors but
> all of sudden I could see above specified errors from last couple of
> days. Is there any bug in audit version or snare version?
1.0.16 has been stable for a very long time. You might see what kind of
events
you are getting.
aureport --start this-week -e --summary -i
Tracking down what events are suddenly showing up might help find the
problem.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-11-13 14:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-11-12 16:40 dispatch err (pipe full) event lost - audit-1.0.16-4 (2.6.9-67.0.4.ELsmp) Rachamadagu, Vasu
2009-11-13 14:06 ` Steve Grubb
[not found] <4A90605B9345DD489B4512A35AEB3A2804BB266A@nedexmb3.staplesams.com>
2009-11-13 14:39 ` dispatch err (pipe full) event lost - audit-1.0.16-4(2.6.9-67.0.4.ELsmp) Rachamadagu, Vasu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).