[RESOLVED] - howto disable /sbin/audisp

Support for security such as Firewalls and securing linux
Post Reply
User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[RESOLVED] - howto disable /sbin/audisp

Post by warron.french » 2017/03/17 12:21:12

Can anyone tell me how to disable the audispatch service (/sbin/audisp?

I have a whole network of systems that seems to have poor audit.rules (as dictated by the customer) and the /var/log/audit/audit.log is rolling every 2 minutes; which I learned by reviewing the errors about audispatch choking on the volume of event records generating errors in /var/log/messages.

I commented out 4 rules in duplicate 3x out of all the *.rules files under /etc/audit/ and /etc/audit/rules.d; and the event recording quieted down considerably, but the audispatch error still persist. I would like to see if disabling audispd will help prevent these errors.

The errors in my /var/log/messages file look like the following (without hostnames and dates):

Code: Select all

auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch error reporting limit reached - ending report notification
Last edited by warron.french on 2017/07/14 17:05:41, edited 1 time in total.
Thanks,
War

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: howto disable /sbin/audisp

Post by warron.french » 2017/07/14 17:05:26

I am surprised that after several months nobody every replied, but the solution was to go into the /etc/audit/auditd.conf file and comment out the line with /sbin/audispd. It's that simple.
Thanks,
War

jayharp
Posts: 1
Joined: 2017/07/17 23:54:46

Re: [RESOLVED] - howto disable /sbin/audisp

Post by jayharp » 2017/07/17 23:57:07

Thanks Warren. I was tired of seeing this error.

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: [RESOLVED] - howto disable /sbin/audisp

Post by warron.french » 2018/08/27 01:05:55

My pleasure jayharp.
Thanks,
War

Post Reply