HPE Community
Operating System - HP-UX
1838348 Members
3669 Online
110125 Solutions
New Discussion

audomon -X

 
SOLVED
Go to solution
Tim Yeung_1
Frequent Advisor

‎03-18-2009 04:07 PM

‎03-18-2009 04:07 PM

audomon -X

I'm trying to use audomon -X to delete audit log files that are older than 60 days:

audomon -p 20 -t 1 -w 90 -X \
'/usr/bin/find /var/.audit" -mtime +60 -exec rm {} 1;'

But I keep getting the "find: missing conjuction" error everytime audomon runs.

Thanks
0 Kudos
Reply
6 REPLIES 6
James R. Ferguson
Acclaimed Contributor

‎03-18-2009 04:23 PM

‎03-18-2009 04:23 PM

Re: audomon -X

Hi Tim:

THe 'find()' command syntax is wrong. I believe that you want:

# audomon -p 20 -t 1 -w 90 -X "/usr/bin/find /var/.audit -type f -mtime +60 -exec rm {} +"

...note that I added the restriction to find only files ('-type f') which should allow the 'rm' to work on all elements found. THe use of the '+' terminator for the '-exec' optimizes the performance.

See the 'find' manpages for more information.

Regards!

...JRF...
0 Kudos
Reply
Tim Yeung_1
Frequent Advisor

‎03-18-2009 04:38 PM

‎03-18-2009 04:38 PM

Re: audomon -X

Still getting "missing conjunction"
I entered exactly what you suggested.
There are spaces between rm, {}, and +

audomon -p 20 -t 1 -w 90 -X "/usr/bin/find /var/.audit -type f -mtime +60 -exec rm {} +"

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎03-18-2009 09:38 PM

‎03-18-2009 09:38 PM

Solution

Re: audomon -X

I can't get that -X command to fire off, audomon just keeps running.

Reading audomon(1M) very closely indicates you need to do:
audomon -p 20 -t 1 -w 90 \
-X "/usr/bin/find /var/.audit -type f -mtime +60 -exec rm {} + #"

Where the "#" comments out the useless string "OldTrail".

Or you may want to use: ... -X "/path/to/myscript"
Then myscript can do that find and ignore "OldTrail" in $1.

(That "1;" may have been "\;"??)
Reply
Tim Yeung_1
Frequent Advisor

‎03-19-2009 07:51 AM

‎03-19-2009 07:51 AM

Re: audomon -X

Yes, it works now. The '#' did it!

In my original note, '1;' was suppose to be '/;'

Thanks.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

‎03-19-2009 07:59 AM

‎03-19-2009 07:59 AM

Re: audomon -X

Hi (again) Tim:

I'm glad Dennis solved this as it was puzzling me. I don't have an audited system nor 11.31 to try.

> In my original note, '1;' was suppose to be '/;'

No, that would have been an escaped semicolon as:

# ... \;

...which when replaced with a '+' improves the performance as I noted, since arguments are bundled and passed as a list/array to the object of the '-exec'.

Regards!

...JRF...
Reply
Dennis Handly
Acclaimed Contributor

‎03-19-2009 07:03 PM

‎03-19-2009 07:03 PM

Re: audomon -X

>JRF: I don't have an audited system nor 11.31 to try.

I didn't have an audited system but I did have 11.31 and the man page.

Sometimes if you have never heard of the command, you read more closely. :-)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.