Clark,
Here is what the security manual says, which is different than what sylogicals suggests.
HP OpenVMS Guide to System Security
OpenVMS Version 7.3-2
http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/AA-Q2HLG-TE.pdfChapter 9 Security Auditing pg 204
-------------------------------------------------------------------------------------------------------
Moving the File from the System Disk
To relocate the file from the SYS$COMMON:[SYSMGR] directory, edit the command procedure
SYSECURITY.COM. This procedure executes each time the system is rebooted, before the audit server is
started.
To relocate the file, perform the following steps:
1. Change the startup sequence by adding a line to SYSECURITY.COM that directs the operating system to
mount the designated auditing disk before the audit server process is started rather than after. For
example:
$ IF .NOT. F$GETDVI("$1$DUA2","MNT") -
_$ THEN MOUNT/SYSTEM $1$DUA2 AUDIT AUDIT$ /NOREBUILD
The command in this example mounts a volume labeled AUDIT on $1$DUA2 and makes it available
systemwide. MOUNT also assigns the logical name AUDIT$.
2. Move the audit server database to the auditing disk, if you choose. The database remains small and fairly
stable so this step is not essential.
To move the database, add a second line to SYSECURITY.COM to define the system logical name
VMS$AUDIT_SERVER. (The line follows the one that mounts the auditing disk.) In the command, define
a system logical name and assign it to the VMS$AUDIT_SERVER data file on the disk with the logical
name AUDIT$. For example:
$ DEFINE/SYSTEM/EXEC VMS$AUDIT_SERVER AUDIT$:[AUDIT]VMS$AUDIT_SERVER.DAT
This command redirects the audit server database to the volume on $1$DUA2, which was mounted in
step 1.
3. From the DCL level, redirect the security audit log file to the volume mounted in SYSECURITY.COM (see
step 1). Use the SET AUDIT command to update the audit server database with the new location of the
security audit log file, and instruct the audit server process on each node in the cluster to begin using the
file. For example:
$ SET AUDIT/JOURNAL=SECURITY -
_$ /DESTINATION=AUDIT$:[AUDIT]SECURITY
Do not repeat this command on each system restart.
If you use a logical name in the specification of the security audit log file, it must be defined as a
/SYSTEM logical name in SYSECURITY.COM.
-------------------------------------------------------------------------------------------------------
Also see section "Managing the Auditing Subsystem" starting on page 212.
You currently have multiple audit journal files, since each system disk has its own sys$common. Accourding to the manual, that will work, but is not recommended: (from page 203)
-------------------------------------------------------------------------------------------------------
Ordinarily, all cluster events are written to a single audit log file. The use of one security audit log file in a
cluster results in a single record of all security-relevant events on the system. For this reason, one clusterwide
log file is preferable to node-specific audit logs, which lose the interrelationship of events across the cluster,
thus producing an incomplete analysis of security events. You can, if you wish, create node-specific audit logs
(see Maintaining the File), but this is not the recommended procedure.
-------------------------------------------------------------------------------------------------------
One more thing, set audit/start does not do everything needed to start auditing. You must do that, wait for the AUDSRV$CONTROL_MAILBOX to be created, then issue set audit/initiate. Or do what is recommended and use
$ @SYS$SYSTEM:STARTUP AUDIT_SERVER
(See help set audit/server)
Jon
it depends
