HPE Community
Operating System - HP-UX
1836359 Members
2417 Online
110100 Solutions
New Discussion

how to read Auditing logs

 
vz7r1x
Regular Advisor

‎01-25-2007 12:00 AM

‎01-25-2007 12:00 AM

how to read Auditing logs

I have audit turned on. Once in a while, auditing spikes & fills up .audit directory.
How can I find out what is causing .audit to fill up so fast. I did "ps -ef, "strings audit_file", "top" etc but did not see any unusual activity.
Is there a way to pin point what causeed spikes in auditing at a particular mooment?
0 Kudos
Reply
5 REPLIES 5
Peter Godron
Honored Contributor

‎01-25-2007 12:06 AM

‎01-25-2007 12:06 AM

Re: how to read Auditing logs

Hi,
and welcome to the forums !

Check with audisp etc what the logs are reporting. You can break it by start/end time etc.

Depending at what level you have set your auditing, you may get a burst of syscalls if a specific program is running, for example.

See "man 5 audit" and related help at the bottom of the man page.

Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-25-2007 12:08 AM

‎01-25-2007 12:08 AM

Re: how to read Auditing logs

Shalom,

The first thing I do with trusted systems is redirect the audit logs to a fileystem. That keeps them from filling up the root fs.

To read the logs:
http://www.techsolutions.hp.com/en/B2355-90121/ch02s05.html

http://www.docs.hp.com/en/B2355-90950/ch08s09.html

When I actually have to read them, I'd rather be drinking because they are really no fun to read.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
vz7r1x
Regular Advisor

‎01-25-2007 12:24 AM

‎01-25-2007 12:24 AM

Re: how to read Auditing logs

Is there a way to find out which program may be causing audit files to fill up faster than usual?
0 Kudos
Reply
Jaime Bolanos Rojas.
Honored Contributor

‎01-25-2007 12:35 AM

‎01-25-2007 12:35 AM

Re: how to read Auditing logs

vz7r1x,

You might want to read this man page:

http://docs.hp.com/en/B2355-90691/audevent.1M.html

and the one given by Peter before.
If you are able to understand those two man pages, the answer that you are looking for will come to you really fast.

The audevent command is going to show you the types of events present in the audit files, and from there determine what is causing so much loggin in the machine.

Regards,

Jaime.
Work hard when the need comes out.
0 Kudos
Reply
vz7r1x
Regular Advisor

‎01-25-2007 01:02 AM

‎01-25-2007 01:02 AM

Re: how to read Auditing logs

Thank you all. I appreciate all the responses. I will start my reading now.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.