Auditing - Why does the auditing log files continues to grow beyond specified value? (605 Views)
Reply
Advisor
Paul F. Bennett
Posts: 47
Registered: ‎08-06-2007
Message 1 of 3 (605 Views)

Auditing - Why does the auditing log files continues to grow beyond specified value?

Despite being set to 1000kb the secondary auditing log files continues to grow beyond the SEC_switch value specified in the /etc/rc.config.d/auditing config file.

 

Server1:/.secure/etc# ll
total 8048
-rw-------   1 root       sys        1034032 Aug 24 09:51 audfile1
-rw-------   1 root       sys        2528230 Aug 24 11:15 audfile2 <----
-rw-------   1 root       sys             54 Aug 24 09:15 audnames

 

AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000 <---
AUDEVENT_ARGS1=" -P -F   -e moddac -e login -e admin"
AUDEVENT_ARGS2=""
AUDEVENT_ARGS3=""
AUDEVENT_ARGS4=""
AUDOMON_ARGS=" -p 20 -t 1 -w 90"

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 3 (598 Views)

Re: Auditing - Why does the auditing log files continues to grow beyond specified value?

You have specified audfile1 as the primary audit file, and audfile2 as the secondary, or "next" audit file.When the primary file reaches 1000 kB size, the audit subsystem will begin writing to audfile2. At this point, audfile2 becomes the new primary audit file, and there will be no next audit file defined any more.

 

You should have some process in place (e.g. a cron job or other periodic task) to check if the audit file has switched, and if it has, archive the old audit file and set up a new "next" audit file.

 

If this is not done and audfile2 reaches 1000 kB size too, the audit subsystem cannot switch anywhere eise: it has no idea where to switch to.

 

The design of the audit subsystem assumes auditing is serious stuff: it is assumed that losing any audit records might raise national security issues, invoke the wrath of Sarbanes-Oxley auditors or cause something else you really wish to avoid. Therefore, if the system has no file to switch to, it keeps on writing to the current file as long as it can. If the disk holding the current audit file becomes full and there is no next audit file defined and a user process is doing something that requires writing an audit log entry, it is time for drastic measures: the process will be frozen until the audit entry can be successfully written. No audit logging whenever required = no service!

 

In HP-UX 11.31, there is a facility for auto-generating new audit file names and running a command (e.g. a script) on the previous audit file each time the system switches to a new audit file.

MK
Advisor
Paul F. Bennett
Posts: 47
Registered: ‎08-06-2007
Message 3 of 3 (582 Views)

Re: Auditing - Why does the auditing log files continues to grow beyond specified value?

Great answer! Thanks

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.