I have a whole network of systems that seems to have poor audit.rules (as dictated by the customer) and the /var/log/audit/audit.log is rolling every 2 minutes; which I learned by reviewing the errors about audispatch choking on the volume of event records generating errors in /var/log/messages.
I commented out 4 rules in duplicate 3x out of all the *.rules files under /etc/audit/ and /etc/audit/rules.d; and the event recording quieted down considerably, but the audispatch error still persist. I would like to see if disabling audispd will help prevent these errors.
The errors in my /var/log/messages file look like the following (without hostnames and dates):
Code: Select all
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch err (pipe full) event lost
auditd[787]: dispatch error reporting limit reached - ending report notification