Audit log is rotating very often

Document ID : KB000018707
Last Modified Date : 14/02/2018
Show Technical Document Details


Even though seaudit reports normal activity, the audit log files grow very fast, causing them to rotate often. This in turn prevents effective follow up of audited resources since just a few hour's worth of events are available. This document explains why this occurs.


Usually, a seaudit -a command will report all audit records in the seos.audit file. However, the records shown will not include the trace records. It may thus be that a running trace is causing the file to fill up.

To check if this is the case one can issue the following commands

seaudit -a -fn ./seos.audit.bak.<date_time> | wc -l This command will indicate how many regular audit records exist in the corresponding seos.audit file

seaudit -a -tr -fn seos.audit.<date_time> | wc -l This other command will show the total number of trace records in the seos.audit file

If you see a large discrepancy it means that some resource has trace enabled.

Another possible known reason why the seos.audit file may be accumulating a lot of records is having KBL enabled (kbl_enabled=1 ) and in trace (kbl_trace=1) and, at the same time having the kbl_seosd_trace parameter set to yes while using interactive user mode.

By default kbl_seosd_trace is set to 1 in a system, but when the previous conditions are met, lots of EXEC and FORK audit messages are thrown into the audit file causing the growth indicated.