Re: auditing

Ed D · ‎09-14-2007

Hi,

I am trying to configure auditing on a hpux 11iV1 server. I have created two 500mb filesystems for the log files. I want auditing to fill /audit1 then switch to /audit2, when /audit2 is full to switch back to /audit1 and overwrite it. Is this possible?
My current config in /etc/rc.config.d/auditing is below, but with this config when audfile 2 is full it doesn't switch just writes to console and hangs the server.
AUDITING=1
PRI_AUDFILE=/audit1/audfile1
PRI_SWITCH=450000
SEC_AUDFILE=/audit2/audfile2
SEC_SWITCH=450000
AUDEVENT_ARGS1=" -P -F -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 4 -t 1 -w 95"

Thanks and regards,
Ed

Todd McDaniel_1 · ‎09-14-2007

Ed,

Unix doesn't work that way, overwriting files unless you specifically tell it to overwrite a certain file by name.

If you were able to get it to point back at /audit1 it would hang just as well as it did on /audit2.

You would have to have some logic that removed all the data in /audit1 before you pointed there again.

Unix, the other white meat.

Rita C Workman · ‎09-14-2007

Couldn't you just write a script to monitor so that when audfile2 starts being written to you clear out audfile1 (size=0) and run command audsys -x audfile1 [this should reset audfile1 as NEXT]

Then when audfile1 start again to be written to, you clear out audfile2. It should actually continue to auto flip to audfile2 based on the auditing config file.

Just a quick thought for you to test/play with.

Rgrds,
Rita

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: auditing

auditing

Re: auditing

Re: auditing