HPE Community
Operating System - HP-UX
1751701 Members
5640 Online
108781 Solutions
New Discussion

Auditing - Why does the auditing log files continues to grow beyond specified value?

 
Paul F. Bennett
Advisor

‎08-24-2011 11:19 AM

‎08-24-2011 11:19 AM

Auditing - Why does the auditing log files continues to grow beyond specified value?

Despite being set to 1000kb the secondary auditing log files continues to grow beyond the SEC_switch value specified in the /etc/rc.config.d/auditing config file.

 

Server1:/.secure/etc# ll
total 8048
-rw-------   1 root       sys        1034032 Aug 24 09:51 audfile1
-rw-------   1 root       sys        2528230 Aug 24 11:15 audfile2 <----
-rw-------   1 root       sys             54 Aug 24 09:15 audnames

 

AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000 <---
AUDEVENT_ARGS1=" -P -F   -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"

0 Kudos
Reply
3 REPLIES 3
Matti_Kurkela
Honored Contributor

‎08-24-2011 10:21 PM

‎08-24-2011 10:21 PM

Re: Auditing - Why does the auditing log files continues to grow beyond specified value?

You have specified audfile1 as the primary audit file, and audfile2 as the secondary, or "next" audit file.When the primary file reaches 1000 kB size, the audit subsystem will begin writing to audfile2. At this point, audfile2 becomes the new primary audit file, and there will be no next audit file defined any more.

 

You should have some process in place (e.g. a cron job or other periodic task) to check if the audit file has switched, and if it has, archive the old audit file and set up a new "next" audit file.

 

If this is not done and audfile2 reaches 1000 kB size too, the audit subsystem cannot switch anywhere eise: it has no idea where to switch to.

 

The design of the audit subsystem assumes auditing is serious stuff: it is assumed that losing any audit records might raise national security issues, invoke the wrath of Sarbanes-Oxley auditors or cause something else you really wish to avoid. Therefore, if the system has no file to switch to, it keeps on writing to the current file as long as it can. If the disk holding the current audit file becomes full and there is no next audit file defined and a user process is doing something that requires writing an audit log entry, it is time for drastic measures: the process will be frozen until the audit entry can be successfully written. No audit logging whenever required = no service!

 

In HP-UX 11.31, there is a facility for auto-generating new audit file names and running a command (e.g. a script) on the previous audit file each time the system switches to a new audit file.

MK
Reply
Paul F. Bennett
Advisor

‎08-25-2011 10:28 AM

‎08-25-2011 10:28 AM

Re: Auditing - Why does the auditing log files continues to grow beyond specified value?

Great answer! Thanks

0 Kudos
Reply
gdv
New Member

‎09-23-2015 06:23 AM

‎09-23-2015 06:23 AM

Re: Auditing - Why does the auditing log files continues to grow beyond specified value?

Hi,

i have a problem on auditing; it starts, switches at the SEC_AUDFILE, then i would like to switches to other directory when on SEC_AUDFILE raise space limit i configure in the audit configuration file, probably with the same prefix but different subfix (for example: timestamp) but i don't found a way to do it! You wrote this thing:

 

In HP-UX 11.31, there is a facility for auto-generating new audit file names and running a command (e.g. a script) on the previous audit file each time the system switches to a new audit file. 

 

Can you explain me which facility is it? 

Thank you,

Gian

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.