|
|
By default, the audit event log file will grow until it consumes all space available on the device that contains it. In many cases, you may want to limit the size of the log file to avoid the problems caused by a full device. You can control the size of the audit event log file with the -x option of auditlog.
The
-x
option takes a positive integer as an argument;
the integer specifies the size of the log file in blocks.
(Each block is 512 bytes.)
For example, the following command specifies that the maximum log file size
is 100 blocks:
auditlog -x 100
The size of the log file must be greater than or equal to the size of the audit buffer, which is set by the system tunable parameter ADT_BSIZE. This is defined in the /etc/conf/mtune.d/audit file. If the size specified by -x is not greater than or equal to ADT_BSIZE, auditlog prints the following error message:
invalid max_size specified Audit Log File Size Must Be >= n (512 byte)blockswhere n is the value of ADT_BSIZE.
The -x option is valid only if the log file is a regular file. If the log file is not a regular file and you use the -x option, auditlog prints the following warning message:
max_size applies only to regular files
A value of 0 (zero) indicates that the audit event log file is unbounded. The log file continues to grow until there is no space left on the device.