HPE Community
Operating System - HP-UX
1833847 Members
2113 Online
110063 Solutions
New Discussion

How to interprete this from an audit log

 
Hai Nguyen_1
Honored Contributor

‎07-12-2002 06:22 AM

‎07-12-2002 06:22 AM

How to interprete this from an audit log

Folks,

I turned on the audit log yesterday. For about 12 hours, the log has been growing to 20Mb while the system has been very much idle. I read the log and almost everything I saw is what I attach. Please give me any pointer on how to interprete it. Thanks.

Hai
0 Kudos
Reply
4 REPLIES 4
S.K. Chan
Honored Contributor

‎07-12-2002 06:49 AM

‎07-12-2002 06:49 AM

Re: How to interprete this from an audit log

In my opinion I think it's saying that the semop (a syscall function related to semaphore) function failed since it returned a "-1". The error number "4" ..

#define EINTR 4 /* interrupted system call*/

kinnda indicated the semop function call got interrupted. Can you give more details what audit log did you turn on ? What application is running on this server (Oracle?) ? I would also suggest looking at a few of these kernel parameters .. (are they sufficiently set?)
semmni
semmne
maxtsiz
maxtsiz_64
I'm leaning towards an application on your system that is causing this logged message. This may not be an error.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎07-12-2002 06:49 AM

‎07-12-2002 06:49 AM

Re: How to interprete this from an audit log

Well, the only thing that I can tell you is that an otherwise normal semop() system call
has received an interrupt. The arguments to the semop() call appear completely valid. Because I assume the uid 'oinstall' is Oracle, I will make a guess that you need to look at the 'timeslice' tunable. It is possible that you have used the dreaded tuned parameter set that incorrectly sets timeslice to 1 rather than 10. Timeslice set to 1 causes all sorts of sema4 problems in addition to a host of other things.

If it ain't broke, I can fix that.
0 Kudos
Reply
Hai Nguyen_1
Honored Contributor

‎07-12-2002 08:33 AM

‎07-12-2002 08:33 AM

Re: How to interprete this from an audit log

Clay, Chan,

Thanks for responses.

The timeslice has been set to 10 already.

The node runs Oracle and Netscape server. Users oracle, netscape and root are audited. Audited events are login, admin, and moddac.
Many kernel params have been tuned for Oracle and the system have been up and running fine for the last two years.

Hai
0 Kudos
Reply
S.K. Chan
Honored Contributor

‎07-12-2002 09:22 AM

‎07-12-2002 09:22 AM

Re: How to interprete this from an audit log

I'm wondering if you turn off the audit event "moddac", do you still get the semop syscall messages in the audit log ? And we're talking about moddac.log, am I right ? From my impression this seems to a perfectly running system and those logs you're getting may not indicate any problem at all. With that assumption I can only think of 2 action items ..
1)Investigate if there is a patch fix for this.
2)Call HP Response Center.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.