Deployment Architecture

Broken pipe Errno 32 and it is not even cold yet.

Explorer

I saw someone had this kind of issue last year and did not see an answer. I will explain my situation.

I have an issue with a particular machine using the *NIX app for forwarding audits using the built-in ausearch script. The ausearch option is giving errors and not collecting data. It is working fine on many others running the same software. This was happening with Splunk 4.1.5 and continues with Splunk 4.1.6.

Redhat Linux Enterprise 5.5

option set in *NIX app

Linux Audit Log (/var/log/audit/audit.log | ausearch)

When this is enabled I get this error:

Splunkd.log ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" Traceback (most recent call last): ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" File "/opt/splunk/etc/apps/unix/bin/readlog.py", line 97, in ? ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" print line, ERROR ExecProcessor - message from "/opt/splunk/etc/apps/unix/bin/rlog.sh" IOError: [Errno 32] Broken pipe.

Thinking maybe the rlog.sh script file was corrupted I copied another one from an identical setup and this particular machine gives this error. I can run the ausearch manually on the machine and can also read /var/log/audit/audit.log on Splunk. I added this after I noticed the error and no files being collected from the *NIX ausearch.

Tags (2)
1 Solution

Explorer

By reloading our custom audit.rules and restarting auditd looks like it helped. Not sure this was the total resolution, because this was done before for a possible remedy.

View solution in original post

0 Karma

Explorer

This problem started happening again,,, still no answer.

0 Karma

Explorer

By reloading our custom audit.rules and restarting auditd looks like it helped. Not sure this was the total resolution, because this was done before for a possible remedy.

View solution in original post

0 Karma