- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- how to read Auditing logs
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2007 12:00 AM
01-25-2007 12:00 AM
how to read Auditing logs
How can I find out what is causing .audit to fill up so fast. I did "ps -ef, "strings audit_file", "top" etc but did not see any unusual activity.
Is there a way to pin point what causeed spikes in auditing at a particular mooment?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2007 12:06 AM
01-25-2007 12:06 AM
Re: how to read Auditing logs
and welcome to the forums !
Check with audisp etc what the logs are reporting. You can break it by start/end time etc.
Depending at what level you have set your auditing, you may get a burst of syscalls if a specific program is running, for example.
See "man 5 audit" and related help at the bottom of the man page.
Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2007 12:08 AM
01-25-2007 12:08 AM
Re: how to read Auditing logs
The first thing I do with trusted systems is redirect the audit logs to a fileystem. That keeps them from filling up the root fs.
To read the logs:
http://www.techsolutions.hp.com/en/B2355-90121/ch02s05.html
http://www.docs.hp.com/en/B2355-90950/ch08s09.html
When I actually have to read them, I'd rather be drinking because they are really no fun to read.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2007 12:24 AM
01-25-2007 12:24 AM
Re: how to read Auditing logs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2007 12:35 AM
01-25-2007 12:35 AM
Re: how to read Auditing logs
You might want to read this man page:
http://docs.hp.com/en/B2355-90691/audevent.1M.html
and the one given by Peter before.
If you are able to understand those two man pages, the answer that you are looking for will come to you really fast.
The audevent command is going to show you the types of events present in the audit files, and from there determine what is causing so much loggin in the machine.
Regards,
Jaime.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-25-2007 01:02 AM
01-25-2007 01:02 AM