HPE Community
Operating System - HP-UX
1830892 Members
2865 Online
110017 Solutions
New Discussion

Re: audfile log files continually switching

 
N Ward
Regular Advisor

‎03-24-2010 04:56 AM

‎03-24-2010 04:56 AM

audfile log files continually switching

Hi...

The system is trusted and has two auditfiles. They auditing system is configured to switch at 500mb. The auditing filesystem is 8Gb in size as has almost 100% free. audomon is set to 20 and 90 so no problems there, however the auditfile keeps switching after only a small file size.. I am puzzled.. Any idea?
0 Kudos
Reply
12 REPLIES 12
Turgay Cavdar
Honored Contributor

‎03-24-2010 06:19 AM

‎03-24-2010 06:19 AM

Re: audfile log files continually switching

Hi,
normally auditing system does not keep switching, it only switches to "next" audit trail and start growing there unless you gibe them another next file. If it is switching then i think someone manually switches the logs or there is crontab script switch the logs.
0 Kudos
Reply
N Ward
Regular Advisor

‎03-24-2010 06:52 AM

‎03-24-2010 06:52 AM

Re: audfile log files continually switching

Hi,
normally auditing system does not keep switching, it only switches to "next" audit trail and start growing there unless you gibe them another next file. If it is switching then i think someone manually switches the logs or there is crontab script switch the logs.

Hi, there is no crontab entry and no one is manually switching. It switches roughly every 4 minutes or so.. If I execute audsys on its own, it shows the correct switch sizes, but never gets to them before it switches. audting is not being restarted as can be seen in the syslog.
0 Kudos
Reply
Turgay Cavdar
Honored Contributor

‎03-24-2010 10:00 AM

‎03-24-2010 10:00 AM

Re: audfile log files continually switching

Hi again,
Can you post the OS version and
# audsys
0 Kudos
Reply
N Ward
Regular Advisor

‎03-25-2010 01:06 AM

‎03-25-2010 01:06 AM

Re: audfile log files continually switching

Hi audsys output attached..

0 Kudos
Reply
N Ward
Regular Advisor

‎03-25-2010 01:36 AM

‎03-25-2010 01:36 AM

Re: audfile log files continually switching

Also OS version 11.23. Its an IA 64 server.
0 Kudos
Reply
Turgay Cavdar
Honored Contributor

‎03-25-2010 03:22 AM

‎03-25-2010 03:22 AM

Re: audfile log files continually switching

Hi again,

audsys
auditing system is currently on
current file: /var/log/secure/audfile2
next file: /var/log/secure/audfile1
statistics: afs Kb used Kb avail % fs Kb used Kb avail %
current file: 1000000 121 100 8388608 29872 100
next file: 0 -1068546688 0 0 0 2004692016


Next file values are nor realistic here. From your output i can say that your system only switch to next file "/var/log/secure/audfile1" when the log file excceds 1GB value. But as i said before if it switches to next file "/var/log/secure/audfile1" then it will not switch to "/var/log/secure/audfile2" if you not set it as the next file and it is empty.

So what do you see in syslog.log? Switch entries between files?
The current audit file is switched from /var/log/secure/audfile1 to /var/log/secure/audfile2
The current audit file is switched from /var/log/secure/audfile2 to /var/log/secure/audfile1
0 Kudos
Reply
N Ward
Regular Advisor

‎03-25-2010 03:26 AM

‎03-25-2010 03:26 AM

Re: audfile log files continually switching

Yes in the syslog it switches from audfile1 to audfile2 and back to audfile1 every 5 or so minutes. The files don't even reach a 100mb in size. Yes the audsys output does look strange, but I can find no reason why it looks like this.
0 Kudos
Reply
N Ward
Regular Advisor

‎03-25-2010 03:29 AM

‎03-25-2010 03:29 AM

Re: audfile log files continually switching

Auditing is configured to use both files I can provide the configuration output to show how auditing is started that includes the primary and secondary file and their file switch sizes..
0 Kudos
Reply
Turgay Cavdar
Honored Contributor

‎03-25-2010 03:33 AM

‎03-25-2010 03:33 AM

Re: audfile log files continually switching

If you can stop the auditing on the system, you can fist backup the audit files then you can try:

# audsys -f
# cp /dev/null /var/log/secure/audfile1
# cp /dev/null /var/log/secure/audfile2
# audsys -n -c /var/log/secure/audfile1 -s 1000000 -x /var/log/secure/audfile2 -z 1000000

Then see what happens...

0 Kudos
Reply
N Ward
Regular Advisor

‎03-25-2010 07:35 AM

‎03-25-2010 07:35 AM

Re: audfile log files continually switching

Hi, for the purposes of the test I can do this, the command line shown above, is exactly the same as is currently executed though so should show no change in behaviour.
0 Kudos
Reply
N Ward
Regular Advisor

‎03-25-2010 08:48 AM

‎03-25-2010 08:48 AM

Re: audfile log files continually switching

Ran the above suggestion, at 16:24 started auditing using the above command line. At 16:27 auditing switched to the second file and switched back again 4 minutes later and has continued doing so..
0 Kudos
Reply
N Ward
Regular Advisor

‎03-26-2010 08:02 AM

‎03-26-2010 08:02 AM

Re: audfile log files continually switching

I have discovered the problem.. We are using Realsecure on all our servers and when it starts it manages to hook into the audit subsystem and sets the audit switch size as 5000kb. Even if you stop and start auditing it makes no difference.

When you start Realsecure it states that it is setting the max audit file size to 5000kb. Problem solved..
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.