Found that audit log grow too much on my new servers.
myserver:/:>audit query | head -2
auditing on
bin processing off
The audit will record audit events like, 'su', 'passwd', file changes, cron, mail, tcpip, lvm, etc. Since audit files are kept on a separate partition for my case, risk of widespread diskspace full is still not that great.myserver:/:>df -k | grep audit
/dev/fslv00 262144 227972 84% 8 1% /auditmyserver:/:>ls -l /audit/
total 67608
-rw------- 1 root system 0 Sep 14 16:43 auditb
-rw-rw---- 1 root system 10453248 Sep 14 16:43 bin1
-rw-rw---- 1 root system 11456 May 14 10:25 bin2
drwxr-xr-x 2 root system 256 Jul 10 14:43 lost+found
-rw-r----- 1 root system 34589752 May 14 10:24 trail
Although the binsize in /etc/security/audit/config is set to 10240, which is 10240 bytes but the bin1 and bin2 files did not stay within the 10kb limit.
Also, there is a cron that 'rotate' the trail log file but it does not compress the rotated file, hence disk space is still being hogged.myserver:/:>crontab -l | grep audit
0 * * * * /etc/security/aixpert/bin/cronaudit
So, let me suggest a workaround.
For the cron script, we add in a line to gzip the rotated log file after shifting the old file.mv /audit/trail /audit/trailOneLevelBack
gzip /audit/trailOneLevelBack
For the bin1 and bin2 files, stop audit, rotate the files and start audit. # audit shutdown
# cp -p /audit/bin1 /audit/bin1.
# cp -p /audit/bin2 /audit/bin2.
# gzip /audit/bin1.
# gzip /audit/bin2.
# cp /dev/null /audit/bin1
# cp /dev/null /audit/bin2
# audit start
Be careful not to change the inode of the files. Otherwise, i read from Mr Google that audit might get 'confused' and does not write audit logs into the bin files anymore. you might then need to reboot the host for audit to recover.
Thursday, September 27, 2012
Rotating AIX audit log
Labels:
AIX
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment