How to recover error - Audit error: dispatch err (pipe full) event lost

How to recover error - Audit error: dispatch err (pipe full) event lost?

Solution Unverified - Updated -

Environment

  • Red Hat Enterprise Linux 7.3

Issue

  • Log file /var/log/messages showing audit error as below -

    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch err (pipe full) event lost
    dispatch error reporting limit reached - ending report notification.
    

Resolution

  • Edit /etc/audit/auditd.conf and set the value of disp_qos=lossy setting to disp_qos=lossless

    cat /etc/audit/auditd.conf  | grep disp_qos
    disp_qos=lossless 
    

Root Cause

  • The reason behind this error is that program is not pulling the events from the audit daemon fast enough.
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Configuring VLAN interfaces in Linux
Viewed 2185 times since Mon, May 21, 2018
RHEL7: How to get started with Firewalld.
Viewed 1848 times since Wed, May 22, 2019
HP-UX - Stunnel Configuration
Viewed 647 times since Fri, Sep 28, 2018
LVM: Reduce an existing Logical Volume / Filesystem
Viewed 841 times since Sat, Jun 2, 2018
Linux Audit The Linux security blog about Auditing, Hardening, and Compliance lynis
Viewed 613 times since Thu, Jan 16, 2020
LVM: Extend SWAP size by growing existing Logical Volume
Viewed 910 times since Sat, Jun 2, 2018
awk printf
Viewed 3999 times since Wed, Aug 19, 2020
RHEL: Extending the maximum inode count on a ext2/ext3/ext4 filesystem
Viewed 1320 times since Sun, May 27, 2018
debian How to check Debian CVE status using python script
Viewed 738 times since Sun, Sep 23, 2018
How to create stunnel with systemd? stunnel
Viewed 1347 times since Thu, Jan 16, 2020