How to recover error - Audit error: dispatch err (pipe full) event lost
Article Number: 633 | Rating: Unrated | Last Updated: Tue, Aug 6, 2019 3:25 PM
How to recover error - Audit error: dispatch err (pipe full) event lost?
Environment
- Red Hat Enterprise Linux 7.3
Issue
-
Log file
/var/log/messagesshowing audit error as below -dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch err (pipe full) event lost dispatch error reporting limit reached - ending report notification.
Resolution
-
Edit
/etc/audit/auditd.confand set the value ofdisp_qos=lossysetting todisp_qos=losslesscat /etc/audit/auditd.conf | grep disp_qos disp_qos=lossless
Root Cause
- The reason behind this error is that program is not pulling the events from the audit daemon fast enough.
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word