Re: Is it possible to restart audit server to clear opcom messages (408 Views)
Reply
Frequent Advisor
Lucie
Posts: 52
Registered: ‎05-11-2004
Message 1 of 6 (408 Views)
Accepted Solution

Is it possible to restart audit server to clear opcom messages

I had enabled an alarm and audit success and failure for SETPRV. This sent messageS to op console for every failure and success privilege access to SETPRV and BYPASS. The console is constantly displaying very successful/failure audit for SETPRV AND BYPASS. I disabled the privileges as soon as I realized what I did but the console has not "caught up" to the current date. I want to "stop" the audit server and re-start the audit server on the cluster.
After all the research I’ve done, this should not be problem. The command is SET AUDIT/SERVER=EXIT. Do I need to stop anything else?
Can I execute the command through SYSMAN after setting environment/cluster? Can I start the audit server in SYSMAN too?
I want piece of mind that I do need to shutdown another process and that this will not cause a problem when I start the audit server again

Honored Contributor
labadie_1
Posts: 1,221
Registered: ‎08-07-2003
Message 2 of 6 (408 Views)

Re: Is it possible to restart audit server to clear opcom messages

Hello

A thread was on that exact topic
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=581282

See particularly what John Gillings says, and the procedure he posted.


Honored Contributor
John Gillings
Posts: 2,994
Registered: ‎07-31-2003
Message 3 of 6 (408 Views)

Re: Is it possible to restart audit server to clear opcom messages

Gerard,
Thanks for your vote of confidence, but I don't think that's Lucie's real problem.

Lucie,

If you've already disabled the alarms, stopping the audit server won't stop the flood of messages - they've already been sent, they're just queued up on the way to being displayed by OPCOM. There are several places that queues of messages can form, and they can be exceptionally long.

Your problem is usually due to the very slow speed of OPA0. A very short action can generate numerous alarms, but they can take a relatively long time to display. If you've turned off the source, you may be able to just leave the system overnight to catch up.

It may be quicker to REPLY/DISABLE until the flood has drained. If there's a process logged in on OPA0 just type the command blind and wait a few minutes to see if the messages settle. If there is no process logged in, you can do it remotely with:

$ DEFINE/USER SYS$COMMAND OPA0:
$ REPLY/DISABLE

Since some types of audit can generate large numbers of messages, it's usually best to turn on AUDITs only for a short period, then analyze the audit journal to determine the level of traffic.

$ StartTime=F$TIME()
$ SET AUDIT/AUDIT/ENABLE=(whatever)
(wait a minute or so)
$ SET AUDIT/AUDIT/DISABLE=(same)
$ ANALYZE/AUDIT/OUT=file/SINCE="''StartTime'"

Now look at the size of the output file to see how many audits you got, and what type.

Enabling ALARMs is fine, but take into account the real output speed of your console. Maybe turn off SECURITY alarms on OPA0 to and use a terminal window instead.
A crucible of informative mistakes
HP Pro
Ian Miller.
Posts: 4,370
Registered: ‎06-03-2003
Message 4 of 6 (408 Views)

Re: Is it possible to restart audit server to clear opcom messages

SET TERMINAL/PERM/NOBROADCAST OPA0:

can help the system catch up.
___________________
Purely Personal Opinion
Frequent Advisor
Lucie
Posts: 52
Registered: ‎05-11-2004
Message 5 of 6 (408 Views)

Re: Is it possible to restart audit server to clear opcom messages

Thanks everyone for your suggestions. I did what John suggest and got my console back!

Frequent Advisor
Lucie
Posts: 52
Registered: ‎05-11-2004
Message 6 of 6 (408 Views)

Re: Is it possible to restart audit server to clear opcom messages

Thanks everyone for your help!!
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.