|
HP OpenVMS Systemsask the wizard |
|
The Question is: When the Security Audit and Alarms are disabled why would the Security Audit Log continue to grow? I know that I shut them off over a week ago but the log continues to grow. When I do a show audit it shows both audit and alarms disabled. The only othe r thing is I have and account that I set the audit flag on and only turned it off today. Could that be it?? Also when I use the set audit/server=new_log the system locks up and takes close to an hour to come back with the new log. The Answer is :
Having the audit flag enabled on a username is independent of the AUDIT
settings. When set, the flag causes ALL auditable events executed by that
user to be audited. In most cases this will generate large volumes of
audit trail, and information that is often entirely unnecessary. That
said, the use of the audit flag in controlled environments can be a very
useful diagnostic tool. If you really NEED to use the audit flag, you
will need to allow for a large journal file, and may need to perform
regular roll-overs.
The slow SET AUDIT/SERVER=NEW could potentially be caused by the size
of the journal file and the necessity of creating an appropriately-sized
new file. The AUDIT_SERVER process will attempt to learn your usage and
will create a new file that it believes is "large enough", based on
historic usage.
To reset the "memory" of the journal size, you can execute the following
DCL commands:
$ SET AUDIT/JOURNAL=SECURITY/THRESHOLD=WARNING=100
$ SET AUDIT/SERVER=NEW
By regularly rolling over your journal file (nightly, weekly, etc), you
will teach AUDIT_SERVER to expect a particular size of journal.
|