- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Auditing - Why does the auditing log files con...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-24-2011 11:19 AM
тАО08-24-2011 11:19 AM
Auditing - Why does the auditing log files continues to grow beyond specified value?
Despite being set to 1000kb the secondary auditing log files continues to grow beyond the SEC_switch value specified in the /etc/rc.config.d/auditing config file.
Server1:/.secure/etc# ll
total 8048
-rw------- 1 root sys 1034032 Aug 24 09:51 audfile1
-rw------- 1 root sys 2528230 Aug 24 11:15 audfile2 <----
-rw------- 1 root sys 54 Aug 24 09:15 audnames
AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000 <---
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
- Tags:
- auditing
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-24-2011 10:21 PM
тАО08-24-2011 10:21 PM
Re: Auditing - Why does the auditing log files continues to grow beyond specified value?
You have specified audfile1 as the primary audit file, and audfile2 as the secondary, or "next" audit file.When the primary file reaches 1000 kB size, the audit subsystem will begin writing to audfile2. At this point, audfile2 becomes the new primary audit file, and there will be no next audit file defined any more.
You should have some process in place (e.g. a cron job or other periodic task) to check if the audit file has switched, and if it has, archive the old audit file and set up a new "next" audit file.
If this is not done and audfile2 reaches 1000 kB size too, the audit subsystem cannot switch anywhere eise: it has no idea where to switch to.
The design of the audit subsystem assumes auditing is serious stuff: it is assumed that losing any audit records might raise national security issues, invoke the wrath of Sarbanes-Oxley auditors or cause something else you really wish to avoid. Therefore, if the system has no file to switch to, it keeps on writing to the current file as long as it can. If the disk holding the current audit file becomes full and there is no next audit file defined and a user process is doing something that requires writing an audit log entry, it is time for drastic measures: the process will be frozen until the audit entry can be successfully written. No audit logging whenever required = no service!
In HP-UX 11.31, there is a facility for auto-generating new audit file names and running a command (e.g. a script) on the previous audit file each time the system switches to a new audit file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-25-2011 10:28 AM
тАО08-25-2011 10:28 AM
Re: Auditing - Why does the auditing log files continues to grow beyond specified value?
Great answer! Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-23-2015 06:23 AM
тАО09-23-2015 06:23 AM
Re: Auditing - Why does the auditing log files continues to grow beyond specified value?
Hi,
i have a problem on auditing; it starts, switches at the SEC_AUDFILE, then i would like to switches to other directory when on SEC_AUDFILE raise space limit i configure in the audit configuration file, probably with the same prefix but different subfix (for example: timestamp) but i don't found a way to do it! You wrote this thing:
In HP-UX 11.31, there is a facility for auto-generating new audit file names and running a command (e.g. a script) on the previous audit file each time the system switches to a new audit file.
Can you explain me which facility is it?
Thank you,
Gian