HP OpenVMS Systems

ask the wizard
Content starts here

Security Audit Log Growing?

» close window

The Question is:

 
When the Security Audit and Alarms are disabled why would the Security Audit
 Log continue to grow?  I know that I shut them off over a week ago but the log
 continues to grow.  When I do a show audit it shows both audit and alarms
 disabled.   The only othe
r thing is I have and account that I set the audit flag on and only turned it
 off today.  Could that be it??  Also when I use the set audit/server=new_log
 the system locks up and takes close to an hour to come back with the new log.
 


The Answer is :

 
  Having the audit flag enabled on a username is independent of the AUDIT
  settings.  When set, the flag causes ALL auditable events executed by that
  user to be audited. In most cases this will generate large volumes of
  audit trail, and information that is often entirely unnecessary.  That
  said, the use of the audit flag in controlled environments can be a very
  useful diagnostic tool.  If you really NEED to use the audit flag, you
  will need to allow for a large journal file, and may need to perform
  regular roll-overs.
 
    The slow SET AUDIT/SERVER=NEW could potentially be caused by the size
  of the journal file and the necessity of creating an appropriately-sized
  new file.  The AUDIT_SERVER process will attempt to learn your usage and
  will create a new file that it believes is "large enough", based on
  historic usage.
 
  To reset the "memory" of the journal size, you can execute the following
  DCL commands:
 
	$ SET AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=100
	$ SET AUDIT/SERVER=NEW
 
  By regularly rolling over your journal file (nightly, weekly, etc), you
  will teach AUDIT_SERVER to expect a particular size of journal.
 
 

answer written or last revised on ( 13-AUG-2001 )

» close window