DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Configuring auditing

Using auditlog to specify the action when the log file is full

A log full condition is reached if one of the following occurs:

The auditing subsystem takes one of the following actions when a log full condition is reached:
The action taken depends on the value of the AUDIT_LOGFULL parameter in the /etc/default/audit file. The value for this parameter in the distributed system is DISABLE (disable auditing). You can set the value of the AUDIT_LOGFULL parameter with the System Defaults Manager or the defadm(ADM) command. For example, to set auditing to be disabled upon a log full condition, enter the following command:

defadm audit AUDIT_LOGFULL=DISABLE

You can override the value of the AUDIT_LOGFULL parameter with the -d, -s, -a, and -A options of the auditlog command. The -d option specifies that auditing will be disabled, the -s option specifies that the computer system will be shutdown and the -a and -A options specify a switch to an alternate log file. The ability to switch to an alternate log file, when the primary log file is full, allows for continuous auditing. Consider configuring your system to switch to an alternate log file and to execute a program when the log switch occurs. By doing so, you can create a continuous series of log files without losing any audit data. ``Specifying continuous auditing'' presents information on ways to accomplish this.

If you want the highest possible level of security and you cannot configure an alternate log, you should shut your system down when the log file becomes full.


Next topic: Specifying continuous auditing
Previous topic: Using auditlog to specify the size of the log file

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005