Security

Audit log file size exceed and audit log rotation

 
Kauser
Advisor

Audit log file size exceed and audit log rotation

Dear Concern,

 

I've configured audit in our system. But log size exceed as per defined value. Please assist me to solve this issue.

 

bash-4.3# audsys
auditing system is currently on
current trail: /var/.audit/audfile1
next    trail: /var/.audit/audfile2
statistics-     afs Kb  used Kb  avail %    fs Kb  used Kb  avail %
current trail:    10000   251244    -2411 19267584  2278280       88
next    trail:    10000        0      100 19267584  2278280       88

auditing system is actively writing to 1 file(s)

bash-4.3# cat /etc/rc.config.d/auditing |grep -v "#"
AUDITING=0
PRI_AUDFILE=/var/.audit/audfile1
PRI_SWITCH=10000
SEC_AUDFILE=/var/.audit/audfile2
SEC_SWITCH=10000
AUDEVENT_ARGS1=" -P -F   -s connect"
AUDEVENT_ARGS2=" -P -f   -e create -e delete -e moddac -e removable -e login -e ipcopen -s creat -s chdir -s mknod -s chmod -s chown -s mount -s umount -s kill -s reboot -s execve -s swapon -s rename -s mkdir -s rmdir -s accept  -s shutdown -s acl -s umount2"
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=" -p -f   -s .audit_ctl -s .audit_tag_ctl -s .cachefsstat -s .cell_olstar_backout -s .cell_olstar_lock -s .cell_olstar_operate -s .cell_olstar_specify -s .cell_olstar_unlock -s .chmod_link -s .cmpt_rules -s .file_sec_ctl -s .gang_sched_ctl -s .kernel_module_ctl -s .mrgctl -s .p2p_bcopy_ctl -s .perf_ctl -s .perf_tool_ctl -s .postwait_ctl -s .priv_grp_ctl -s .proc_mgmt_ctl -s .proc_sec_ctl -s .processor_ctl -s .procsm_setop -s .sendfile_by_name -s .set_sys_info -s .setaudevent -s .setmemwindow -s __pset_rtctl -s access -s acct -s adjtime -s audctl -s audswitch -s bind -s chroot -s clock_settime -s close -s execv -s exit -s fattach -s fchdir -s fchmod -s fchown -s fcntl -s fdetach -s fork -s fsetacl -s fstat -s fstat64 -s ftruncate -s ftruncate64 -s getaccess -s getksym -s lchown -s link -s lockf -s lockf64 -s lstat -s lstat64 -s mlock -s mlockall -s mmap -s mmap64 -s modload -s modpath -s modstat -s moduload -s mpctl -s mq_close -s mq_open -s mq_unlink -s msgctl -s msgget -s munlock -s munlockall -s munmap -s open -s pipe -s plock -s pset_assign -s pset_bind -s pset_create -s pset_ctl -s pset_destroy -s pset_setattr -s ptrace -s recv -s recvfrom -s recvmsg -s rtprio -s sched_setparam -s sched_setscheduler -s sem_close -s sem_open -s sem_unlink -s semctl -s semget -s semop -s semtimedop -s send -s sendfile -s sendfile64 -s sendmsg -s sendto -s serialize -s setacl -s setaudid -s setaudproc -s setdomainname -s setevent -s setgid -s setgroups -s setpgid -s setpgrp -s setpgrp3 -s setpriority -s setregid -s setresgid -s setresuid -s setrlimit -s setrlimit64 -s setsockopt -s settimeofday -s settune -s setuid -s shm_open -s shm_unlink -s shmat -s shmctl -s shmdt -s shmget -s sigqueue -s socket -s socketpair -s stat -s stat64 -s stime -s swapctl -s symlink -s truncate -s truncate64 -s ttrace -s ulimit -s umask -s unlink -s vfork -s vfsmount"
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
bash-4.3#

 

In addition, assist me to log rotate procedure for audit logs like it will keep only last 2 months data.

Thanks

Kauser

 

2 REPLIES 2
Lucky_Ali
HPE Pro

Re: Audit log file size exceed and audit log rotation

Hi, 

When the current trail exceeds a predefined capacity (its Audit File Switch (AFS) size), or when the auditing file system on which it resides approaches a predefined capacity (its File Space Switch (FSS) size), the auditing subsystem issues a warning. When either the AFS or the FSS of the current audit trail is reached, the auditing subsystem looks for an auxiliary trail. If one is available, the recording is switched to the auxiliary trail. If no auxiliary trail is specified, the auditing subsystem creates a new audit trail with the same base name but a different timestamp extension and begin recording to it. Audomon also takes a command line to run after a successful audit trail switch to process the last audit trail.

 

Depending on site-specific needs, the processing may involve data backup, archival, moving off-site, cleaning up or data reporting. If auto-switch is unsuccessful, warning messages are sent to request appropriate administrator action and the current audit trail continues to grow.

for log rotate, you would need to write a script and schedule in cron for getting it rotated , or you can use this open source product from the below site 

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/logrotate-3.12.3/

Thanks.


Accept or Kudo
Kauser
Advisor

Re: Audit log file size exceed and audit log rotation

Hi,

In our case, AFS size is already exceed but still audit file is growing. Please share us a solution to resolve the issue.

With Best Regards,

Md. Abdullah-Al Kauser