Hi, I could see following event logged continuously on messages log. I am using audit-1.0.16 version with SnareLinux-1.5.0-1 version.
auditd[10959]: dispatch err (pipe full) event lost auditd[10959]: dispatch error reporting limit reached - ending report notification. auditd[10959]: dispatch err (pipe full) event lost --> /etc/audit.rules has only following line -b 256 --> /etc/auditd.conf has following contents log_file = /var/log/audit/audit.log log_format = NOLOG priority_boost = 3 flush = INCREMENTAL freq = 20 num_logs = 4 #dispatcher = /sbin/audispd #disp_qos = lossy max_log_file = 5 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND dispatcher = /usr/sbin/SnareDispatchHelper --> /etc/snare.conf Normal remote log collection server IP and other details. Above setup working from last couple of months without any errors but all of sudden I could see above specified errors from last couple of days. Is there any bug in audit version or snare version? Regards, Vasu
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
