Security
cancel
Showing results for 
Search instead for 
Did you mean: 

Auditing audomon switches too soon

 
tonyG_2
Advisor

Auditing audomon switches too soon

I am having issues with audomon switching to the SEC_AUDFILE too soon. I have replicated the issue to verify premature switching and need to verify if my settings are correct and also if anyone has seen this issue. Here is my auditing file:

AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1.`date +%y%m%d`
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2.`date +%y%m%d`
SEC_SWITCH=1000
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"

audnames file:

/.secure/etc/audfile1.100831,1000
/.secure/etc/audfile2.100831,1000

audsys output:

# date
Tue Aug 31 10:49:54 EDT 2010
# audsys
auditing system is currently on
current file: /.secure/etc/audfile1.100831
next file: /.secure/etc/audfile2.100831
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 4 100 1032192 894824 13
next file: 1000 0 100 1032192 894824 13


After 4KB is written to audfile1.100831 it switched to audfile2.100831.

audsys:

# date
Tue Aug 31 10:50:49 EDT 2010
# audsys
auditing system is currently on
current file: /.secure/etc/audfile2.100831
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000 4 100 1032192 894832 13
next file: none

The switching time varies, sometimes sooner sometimes later.

Any ideas?
1 REPLY 1
Yarema A. Mikhajliv
Frequent Advisor

Re: Auditing audomon switches too soon

Parameter "-p 20" means, that log will be switched after there is less than 20% of free space. As I see, you have only 13% of free space.
So, after starting audit it checks free space, and switches trail logs