How to recover error - Audit error: dispatch err (pipe full) event lost -

How to recover error - Audit error: dispatch err (pipe full) event lost

Environment

Red Hat Enterprise Linux 7.3

Issue

Log file /var/log/messages showing audit error as below -

dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch err (pipe full) event lost
dispatch error reporting limit reached - ending report notification.

Resolution

Edit /etc/audit/auditd.conf and set the value of disp_qos=lossy setting to disp_qos=lossless
Raw
```
cat /etc/audit/auditd.conf  | grep disp_qos
disp_qos=lossless 
```

Root Cause

The reason behind this error is that program is not pulling the events from the audit daemon fast enough.

Article Number: 633
Posted: Tue, Aug 6, 2019 3:25 PM
Last Updated: Tue, Aug 6, 2019 3:25 PM

Online URL: http://kb.ictbanking.net/article.php?id=633