HPE Community
Operating System - HP-UX
1844043 Members
2289 Online
110227 Solutions
New Discussion

Trouble getting audsys to set next file

 
SOLVED
Go to solution
Jane Lecian
Valued Contributor

‎05-02-2003 05:04 AM

‎05-02-2003 05:04 AM

Trouble getting audsys to set next file

I am working on a HP-UX 11.0 (with Sept. 2002 QPK)system that is running as a Trusted System.

When I issue the command:
audsys -x /audit/audfile.next -z 2000
I expect that the next audit file will be set to /audit/audfile.next (and the current file will be left alone), but instead it sets audfile.next as the current file, and makes the switch now. How do I configure a next file from the command line? I can set a next file if I use SAM. I have read the man pages over a number of times, and really can't figure out what I am doing wrong.

Thanks so much for your help,

Jane
0 Kudos
Reply
3 REPLIES 3
Darren Prior
Honored Contributor

‎05-02-2003 05:22 AM

‎05-02-2003 05:22 AM

Re: Trouble getting audsys to set next file

Hi Jane,

A couple of quick thoughts:

1) can you post your /.secure/etc/audnames before & after you run the command so we can see what the current/next files are at these times.

2) have a look at samlog to see the command SAM has run to perform the change.

regards,

Darren.
Calm down. It's only ones and zeros...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎05-02-2003 06:06 AM

‎05-02-2003 06:06 AM

Solution

Re: Trouble getting audsys to set next file

I had the same problem.

Took the following steps.

Reconfigured the files to the /home/secure fs so that root doesn't get filled up.

Wrote a cron job to shut them down weekly, copy them both to a /backup fs so they get archived.

cron
46 45 4 * * * /usr/contrib/bin/resetaudits 2>&1 | mailx -s "Archive the tru
sted system audit logs" HPSysCronLog@me.org


The script
#!/usr/bin/ksh

audsys -f
mv /home/secure/aud* /backups
audsys -n -c /home/secure/audfile1 -s 10000 -x /home/secure/audfile2 -z 10000




This is crude, needs documentation and refinement but it gets the log switches to stop BOTHERING me.

http://www.isnamerica.com
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Jane Lecian
Valued Contributor

‎05-02-2003 06:44 AM

‎05-02-2003 06:44 AM

Re: Trouble getting audsys to set next file

Thank you for your responses.

In response to Darren's request for more information, here is the series on commands I entered:
ROOT: /.secure/etc> audsys -c /scratch/audit/audfile.begin -s 2000
created audit file: /scratch/audit/audfile.begin
ROOT: /.secure/etc> audsys
auditing system is currently on
current file: /scratch/audit/audfile.begin
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 2000 1 100 3309568 188778 99
next file: none
ROOT: /.secure/etc>cp audnames audnames.before
ROOT: /.secure/etc> audsys -x /scratch/audit/audfile.next -z 2000
created audit file: /scratch/audit/audfile.next
ROOT: /.secure/etc> audsys
auditing system is currently on
current file: /scratch/audit/audfile.next
next file: none
statistics- afs Kb used Kb avail % fs Kb used Kb avail %
current file: 2000 1 100 3309568 642476 98
next file: none
ROOT: /.secure/etc>
ROOT: /.secure/etc> cp audnames audnames.after
ROOT: /scratch/audit> ll
total 66
-rw------- 1 root sys 10035 May 2 10:25 audfile.begin
-rw------- 1 root sys 7428 May 2 10:27 audfile.next
ROOT: /scratch/audit>

I am not sure on how the formatting of this will come out in the message.

I am also attaching the audnames.before and audnames.after which I condensed into one file called audnames.txt. It is interesting that the text in the audnames does not match up with the output of the audsys command.

Also I will give the script that Steven provided a try. It sounds like a good work around. I have not tried starting and stopping the auditing system.

I'll let you know how it goes.

Thanks,

Jane
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.