Audit log is rotating very often

Document ID : KB000018707
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Even though seaudit reports normal activity, the audit log files grow very fast, causing them to rotate often. This in turn prevents effective follow up of audited resources since just a few hour's worth of events are available. This document explains why this occurs.

Solution:

Usually, a seaudit -a command will report all audit records in the seos.audit file. However, the records shown will not include the trace records. It may thus be that a running trace is causing the file to fill up.

To check if this is the case one can issue the following commands

seaudit -a -fn ./seos.audit.bak.<date_time> | wc -l This command will indicate how many regular audit records exist in the corresponding seos.audit file

seaudit -a -tr -fn seos.audit.<date_time> | wc -l This other command will show the total number of trace records in the seos.audit file

If you see a large discrepancy it means that some resource has trace enabled.

Another possible known reason why the seos.audit file may be accumulating a lot of records is having KBL enabled (kbl_enabled=1 ) and in trace (kbl_trace=1) and, at the same time having the kbl_seosd_trace parameter set to yes while using interactive user mode.

By default kbl_seosd_trace is set to 1 in a system, but when the previous conditions are met, lots of EXEC and FORK audit messages are thrown into the audit file causing the growth indicated.