Deployment Architecture

Broken pipe Errno 32 and it is not even cold yet.

djfisher
Explorer

I saw someone had this kind of issue last year and did not see an answer. I will explain my situation.

I have an issue with a particular machine using the *NIX app for forwarding audits using the built-in ausearch script. The ausearch option is giving errors and not collecting data. It is working fine on many others running the same software. This was happening with Splunk 4.1.5 and continues with Splunk 4.1.6.

Redhat Linux Enterprise 5.5

option set in *NIX app

Linux Audit Log (/var/log/audit/audit.log | ausearch)

When this is enabled I get this error:

Splunkd.log ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" Traceback (most recent call last): ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" File "/opt/splunk/etc/apps/unix/bin/readlog.py", line 97, in ? ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" print line, ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" IOError: [Errno 32] Broken pipe.

Thinking maybe the rlog.sh script file was corrupted I copied another one from an identical setup and this particular machine gives this error. I can run the ausearch manually on the machine and can also read /var/log/audit/audit.log on Splunk. I added this after I noticed the error and no files being collected from the *NIX ausearch.

Tags (2)
1 Solution

djfisher
Explorer

By reloading our custom audit.rules and restarting auditd looks like it helped. Not sure this was the total resolution, because this was done before for a possible remedy.

View solution in original post

0 Karma

djfisher
Explorer

This problem started happening again,,, still no answer.

0 Karma

djfisher
Explorer

By reloading our custom audit.rules and restarting auditd looks like it helped. Not sure this was the total resolution, because this was done before for a possible remedy.

View solution in original post

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!