Hi everyone, I work in an environment with Internet-isolated networks. I am having a problem that presents the following in /var/log/messages: *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch err (pipe full) event lost *auditd[787]: *dispatch error reporting limit reached - ending report notification
While tailing the /var/log/audit/audit.log I notice a high volume of data pouring into the file; looked like it was tied to the same "keyed" audit rule, so I commented out all of the rules associated with that -k "key." I restarted the audit daemon, and continued to monitor the /var/log/audit/audit.log; and the speed at which records were pouring in was drastically reduced; however, /var/log/messages is still reporting the same dispatch errors. The rules that are pegging audit.log (and forcing it to roll over every 2 minutes at a size of 36MB) were commented out, and /usr/sbin/ntpd (I think through the adjtimex syscall) is what is now the more recent culprit. Any suggestions on how to resolve this problem? -------------------------- Warron French
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
