HPE Community
Operating System - HP-UX
1755399 Members
3328 Online
108832 Solutions
New Discussion юеВ

Auditing

 
SOLVED
Go to solution
Angela L. Shepherd_1
Occasional Advisor

тАО02-13-2001 09:24 AM

тАО02-13-2001 09:24 AM

Auditing

I can't get auditing to work on one of my systems. When I go into sam (select auditing and security and then audited events) I receive the following error message:

The attempt to modify the auditing configuration using audsys failed. The command return value was "-1" and the standard error output was: warning: cannot read badly formatted /.secure/etc/audnames current audit file /audsys/audsys/af.start1 insufficient space available on audit file filesystem, specify a different audit file of select a smaller AFS auditing system unchanged.

I can't remember how to specify a different audit file from the command line.
0 Kudos
Reply
5 REPLIES 5
Steven Sim Kok Leong
Honored Contributor

тАО02-13-2001 09:31 AM

тАО02-13-2001 09:31 AM

Solution

Re: Auditing

Hi,

# audsys -c pathname-of-new-audit-file -s size-in-kbytes

Hope this helps. Regards.

Steven Sim Kok Leong
Brainbench MVP for Unix Admin
http://www.brainbench.com
Reply
Jason VanDerMark
Trusted Contributor

тАО02-13-2001 09:33 AM

тАО02-13-2001 09:33 AM

Re: Auditing

You could use

audsys -n -c auditlog.new

This should start auditing and set the current file(the one that all audit records are set in) to auditlog.new. It is best to set the current file to one that doesn't exist or to one that is empty. Hope this is what you were looking for. For more info check out the manpages on audit or audsys or any of the other audit commands.

Good Luck,
Jason V.
Tie two birds together, eventhough they have four wings, they cannot fly.
Reply
Madhu Sudhan_1
Respected Contributor

тАО02-13-2001 09:39 AM

тАО02-13-2001 09:39 AM

Re: Auditing

Hi Angela !

You can use

#audsys -n -c -s -x -z

"-n" stands for turning on the audit system and "-f" for turning off.

...Madhu
Think Positive
Reply
Angela L. Shepherd_1
Occasional Advisor

тАО02-13-2001 10:06 AM

тАО02-13-2001 10:06 AM

Re: Auditing

I don't have a /.secure/etc/audnames file.
0 Kudos
Reply
Madhu Sudhan_1
Respected Contributor

тАО02-13-2001 12:35 PM

тАО02-13-2001 12:35 PM

Re: Auditing

Hi Angela !
Looks to me like the "audnames" file is corrupted or not there. Turn off the auditing by using audsys and "-f" option and restore audnames file from the backup if you have backedup.

or

try

#touch /.secure/etc/audnames (to create an empty file)

and then turn on the auditing and the audit users and audit events. Ilooked for the format of audnames and couldn't find.

Hope this helps.
...Madhu
Think Positive
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.