HPE Community
Operating System - HP-UX
1855558 Members
10171 Online
104112 Solutions
New Discussion

Re: Trusted System Audit File Administration

 
SOLVED
Go to solution
Richard Mertz
Regular Advisor

‎09-06-2000 07:33 AM

‎09-06-2000 07:33 AM

Trusted System Audit File Administration

What do you guys do for "automatically" administering the Audit files generated in trusted system auditing? How do you "remove them". I just started using trusted system audit, I backup the previous audit file and empty it. I get messages that the system can not switch to a new audit file even though the old one is now empty.
What anybody thinks of me is none of my business.
0 Kudos
Reply
4 REPLIES 4
Stefan Farrelly
Honored Contributor

‎09-06-2000 07:56 AM

‎09-06-2000 07:56 AM

Re: Trusted System Audit File Administration


run runacct and monacct commands regularly to cleanup the auditing logs. see the manpages on them for options.

Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
Richard Mertz
Regular Advisor

‎09-06-2000 08:14 AM

‎09-06-2000 08:14 AM

Re: Trusted System Audit File Administration

Stefan:

Those seem to be exclusively for accounting/charge back reporting. In a quick read, I didn't see anything about manipulating system audit files as created by audit in trusted systems. What am I missing?

Richard
What anybody thinks of me is none of my business.
0 Kudos
Reply
Tom Danzig
Honored Contributor

‎09-06-2000 08:28 AM

‎09-06-2000 08:28 AM

Solution

Re: Trusted System Audit File Administration

I copy the primary audit file to a tape, zero out the primary, and the run audsys to switch logging back to the primary. Do a man on audsys for the necessary switches to do so.
Reply
Stefan Farrelly
Honored Contributor

‎09-06-2000 08:30 AM

‎09-06-2000 08:30 AM

Re: Trusted System Audit File Administration


Those commands do a bit of trimming but I guess your talking about the large files in /.secure/etc audfile1 and 2 ?
What does your /.secure/etc/audnames file looklike, this controls the audit size and switching. Ours looks like this;
/.secure/etc/audfile2,20000
/.secure/etc/audfile1,20000
So our audit files will cycle around at 20Mb.
You can edit this file then stop and restart auditing (/sbin/init.d/auditing stop/start)
Im from Palmerston North, New Zealand, but somehow ended up in London...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.