Thank you Steve. But it shows no events found. I have verified with snare remote server (destination) for the logs and they are saying that getting logs + dispatch error messages. Is there any way to fix these errors?
aureport --start this-week -e --summary -i Event Summary Report ====================== total type ====================== <no events of interest were found> Regards, Vasu -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Steve Grubb Sent: Friday, November 13, 2009 9:06 AM To: [email protected] Subject: Re: dispatch err (pipe full) event lost - audit-1.0.16-4(2.6.9-67.0.4.ELsmp) On Thursday 12 November 2009 11:40:58 am Rachamadagu, Vasu wrote: > I could see following event logged continuously on messages log. I am > using audit-1.0.16 version with SnareLinux-1.5.0-1 version. > > auditd[10959]: dispatch err (pipe full) event lost > auditd[10959]: dispatch error reporting limit reached - ending report > notification. > auditd[10959]: dispatch err (pipe full) event lost Sounds like the dispatcher is not taking events fast enough. > --> /etc/audit.rules has only following line > > -b 256 This would kind of indicate that you are only using the hardwired events from SE Linux, pam, and a few other apps. You shouldn't really be getting much traffic. > Normal remote log collection server IP and other details. > > Above setup working from last couple of months without any errors but > all of sudden I could see above specified errors from last couple of > days. Is there any bug in audit version or snare version? 1.0.16 has been stable for a very long time. You might see what kind of events you are getting. aureport --start this-week -e --summary -i Tracking down what events are suddenly showing up might help find the problem. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
