Operating System - HP-UX
1833859 Members
2532 Online
110063 Solutions
New Discussion

how to read Auditing logs

 
vz7r1x
Regular Advisor

how to read Auditing logs

I have audit turned on. Once in a while, auditing spikes & fills up .audit directory.
How can I find out what is causing .audit to fill up so fast. I did "ps -ef, "strings audit_file", "top" etc but did not see any unusual activity.
Is there a way to pin point what causeed spikes in auditing at a particular mooment?
5 REPLIES 5
Peter Godron
Honored Contributor

Re: how to read Auditing logs

Hi,
and welcome to the forums !

Check with audisp etc what the logs are reporting. You can break it by start/end time etc.

Depending at what level you have set your auditing, you may get a burst of syscalls if a specific program is running, for example.

See "man 5 audit" and related help at the bottom of the man page.

Please also read:
http://forums1.itrc.hp.com/service/forums/helptips.do?#33 on how to reward any useful answers given to your questions.
Steven E. Protter
Exalted Contributor

Re: how to read Auditing logs

Shalom,

The first thing I do with trusted systems is redirect the audit logs to a fileystem. That keeps them from filling up the root fs.

To read the logs:
http://www.techsolutions.hp.com/en/B2355-90121/ch02s05.html

http://www.docs.hp.com/en/B2355-90950/ch08s09.html

When I actually have to read them, I'd rather be drinking because they are really no fun to read.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
vz7r1x
Regular Advisor

Re: how to read Auditing logs

Is there a way to find out which program may be causing audit files to fill up faster than usual?
Jaime Bolanos Rojas.
Honored Contributor

Re: how to read Auditing logs

vz7r1x,

You might want to read this man page:

http://docs.hp.com/en/B2355-90691/audevent.1M.html

and the one given by Peter before.
If you are able to understand those two man pages, the answer that you are looking for will come to you really fast.

The audevent command is going to show you the types of events present in the audit files, and from there determine what is causing so much loggin in the machine.

Regards,

Jaime.
Work hard when the need comes out.
vz7r1x
Regular Advisor

Re: how to read Auditing logs

Thank you all. I appreciate all the responses. I will start my reading now.