Operating System - OpenVMS
1748203 Members
3190 Online
108759 Solutions
New Discussion юеВ

Re: Is it possible to restart audit server to clear opcom messages

 
SOLVED
Go to solution
Lucie
Frequent Advisor

Is it possible to restart audit server to clear opcom messages

I had enabled an alarm and audit success and failure for SETPRV. This sent messageS to op console for every failure and success privilege access to SETPRV and BYPASS. The console is constantly displaying very successful/failure audit for SETPRV AND BYPASS. I disabled the privileges as soon as I realized what I did but the console has not "caught up" to the current date. I want to "stop" the audit server and re-start the audit server on the cluster.
After all the research IтАЩve done, this should not be problem. The command is SET AUDIT/SERVER=EXIT. Do I need to stop anything else?
Can I execute the command through SYSMAN after setting environment/cluster? Can I start the audit server in SYSMAN too?
I want piece of mind that I do need to shutdown another process and that this will not cause a problem when I start the audit server again

5 REPLIES 5
labadie_1
Honored Contributor

Re: Is it possible to restart audit server to clear opcom messages

Hello

A thread was on that exact topic
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=581282

See particularly what John Gillings says, and the procedure he posted.


John Gillings
Honored Contributor
Solution

Re: Is it possible to restart audit server to clear opcom messages

Gerard,
Thanks for your vote of confidence, but I don't think that's Lucie's real problem.

Lucie,

If you've already disabled the alarms, stopping the audit server won't stop the flood of messages - they've already been sent, they're just queued up on the way to being displayed by OPCOM. There are several places that queues of messages can form, and they can be exceptionally long.

Your problem is usually due to the very slow speed of OPA0. A very short action can generate numerous alarms, but they can take a relatively long time to display. If you've turned off the source, you may be able to just leave the system overnight to catch up.

It may be quicker to REPLY/DISABLE until the flood has drained. If there's a process logged in on OPA0 just type the command blind and wait a few minutes to see if the messages settle. If there is no process logged in, you can do it remotely with:

$ DEFINE/USER SYS$COMMAND OPA0:
$ REPLY/DISABLE

Since some types of audit can generate large numbers of messages, it's usually best to turn on AUDITs only for a short period, then analyze the audit journal to determine the level of traffic.

$ StartTime=F$TIME()
$ SET AUDIT/AUDIT/ENABLE=(whatever)
(wait a minute or so)
$ SET AUDIT/AUDIT/DISABLE=(same)
$ ANALYZE/AUDIT/OUT=file/SINCE="''StartTime'"

Now look at the size of the output file to see how many audits you got, and what type.

Enabling ALARMs is fine, but take into account the real output speed of your console. Maybe turn off SECURITY alarms on OPA0 to and use a terminal window instead.
A crucible of informative mistakes
Ian Miller.
Honored Contributor

Re: Is it possible to restart audit server to clear opcom messages

SET TERMINAL/PERM/NOBROADCAST OPA0:

can help the system catch up.
____________________
Purely Personal Opinion
Lucie
Frequent Advisor

Re: Is it possible to restart audit server to clear opcom messages

Thanks everyone for your suggestions. I did what John suggest and got my console back!

Lucie
Frequent Advisor

Re: Is it possible to restart audit server to clear opcom messages

Thanks everyone for your help!!