topic Re: audfile log files continually switching in Operating System - HP-UX

audfile log files continually switching

N Ward — Wed, 24 Mar 2010 11:56:41 GMT

Hi...

The system is trusted and has two auditfiles. They auditing system is configured to switch at 500mb. The auditing filesystem is 8Gb in size as has almost 100% free. audomon is set to 20 and 90 so no problems there, however the auditfile keeps switching after only a small file size.. I am puzzled.. Any idea?

Re: audfile log files continually switching

Turgay Cavdar — Wed, 24 Mar 2010 13:19:13 GMT

Re: audfile log files continually switching

N Ward — Wed, 24 Mar 2010 13:52:12 GMT

Hi,
normally auditing system does not keep switching, it only switches to "next" audit trail and start growing there unless you gibe them another next file. If it is switching then i think someone manually switches the logs or there is crontab script switch the logs.

Hi, there is no crontab entry and no one is manually switching. It switches roughly every 4 minutes or so.. If I execute audsys on its own, it shows the correct switch sizes, but never gets to them before it switches. audting is not being restarted as can be seen in the syslog.

Re: audfile log files continually switching

Turgay Cavdar — Wed, 24 Mar 2010 17:00:10 GMT

Hi again,
Can you post the OS version and
# audsys

Re: audfile log files continually switching

N Ward — Thu, 25 Mar 2010 08:06:32 GMT

Hi audsys output attached..

Re: audfile log files continually switching

N Ward — Thu, 25 Mar 2010 08:36:32 GMT

Also OS version 11.23. Its an IA 64 server.

Re: audfile log files continually switching

Turgay Cavdar — Thu, 25 Mar 2010 10:22:14 GMT

Hi again,

audsys
auditing system is currently on
current file: /var/log/secure/audfile2
next file: /var/log/secure/audfile1
statistics: afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000000 121 100 8388608 29872 100
next file: 0 -1068546688 0 0 0 2004692016

Next file values are nor realistic here. From your output i can say that your system only switch to next file "/var/log/secure/audfile1" when the log file excceds 1GB value. But as i said before if it switches to next file "/var/log/secure/audfile1" then it will not switch to "/var/log/secure/audfile2" if you not set it as the next file and it is empty.

So what do you see in syslog.log? Switch entries between files?
The current audit file is switched from /var/log/secure/audfile1 to /var/log/secure/audfile2
The current audit file is switched from /var/log/secure/audfile2 to /var/log/secure/audfile1

Re: audfile log files continually switching

N Ward — Thu, 25 Mar 2010 10:26:40 GMT

Yes in the syslog it switches from audfile1 to audfile2 and back to audfile1 every 5 or so minutes. The files don't even reach a 100mb in size. Yes the audsys output does look strange, but I can find no reason why it looks like this.

Re: audfile log files continually switching

N Ward — Thu, 25 Mar 2010 10:29:33 GMT

Auditing is configured to use both files I can provide the configuration output to show how auditing is started that includes the primary and secondary file and their file switch sizes..

Re: audfile log files continually switching

Turgay Cavdar — Thu, 25 Mar 2010 10:33:54 GMT

If you can stop the auditing on the system, you can fist backup the audit files then you can try:

# audsys -f
# cp /dev/null /var/log/secure/audfile1
# cp /dev/null /var/log/secure/audfile2
# audsys -n -c /var/log/secure/audfile1 -s 1000000 -x /var/log/secure/audfile2 -z 1000000

Then see what happens...

Re: audfile log files continually switching

N Ward — Thu, 25 Mar 2010 14:35:46 GMT

Hi, for the purposes of the test I can do this, the command line shown above, is exactly the same as is currently executed though so should show no change in behaviour.

Re: audfile log files continually switching

N Ward — Thu, 25 Mar 2010 15:48:02 GMT

Ran the above suggestion, at 16:24 started auditing using the above command line. At 16:27 auditing switched to the second file and switched back again 4 minutes later and has continued doing so..

Re: audfile log files continually switching

N Ward — Fri, 26 Mar 2010 15:02:32 GMT

I have discovered the problem.. We are using Realsecure on all our servers and when it starts it manages to hook into the audit subsystem and sets the audit switch size as 5000kb. Even if you stop and start auditing it makes no difference.

When you start Realsecure it states that it is setting the max audit file size to 5000kb. Problem solved..