Using auditlog to specify the action when the log file is full
A log full condition is reached if one of the following occurs:
-
The log file is a regular file and it has reached the size specified by the
-x
option of the
auditlog
command.
-
The log file is a regular file and the filesystem it resides in runs out of space.
-
The log file is a special character device, such as a tape drive, and the device cannot hold any more data.
The auditing subsystem takes one of the following actions when a log full condition
is reached:
-
disable auditing
-
shut down the computer system
-
switch to an alternate log file and (if desired) run a program
The action taken depends on the value of the
AUDIT_LOGFULL
parameter in the
/etc/default/audit
file.
The value for this parameter in the distributed system is
DISABLE
(disable auditing).
You can set the value of the AUDIT_LOGFULL parameter
with the
System Defaults Manager
or the
defadm(1M)
command.
For example, to set auditing to be disabled upon a log full
condition, enter the following command:
defadm audit AUDIT_LOGFULL=DISABLE
You can override the value of the
AUDIT_LOGFULL
parameter with the
-d,
-s,
-a,
and
-A
options of the
auditlog
command.
The
-d
option specifies that auditing will be disabled,
the
-s
option specifies that the computer system will be shutdown
and the
-a
and
-A
options specify a switch to an alternate log file.
The ability to switch to an alternate log file, when the primary
log file is full, allows for continuous auditing.
Consider configuring your system to
switch to an alternate log file and to execute a program when the log switch occurs.
By doing so, you can create a continuous series of log files without
losing any audit data.
``Specifying continuous auditing''
presents information on ways to accomplish this.
If you want the highest possible level of security and you cannot
configure an alternate log,
you should shut your system down when the log file becomes full.
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004