As role admin, at label admin_high
check the /etc/security/audit_data file to determine the current process number of the audit daemon.
If that process is still running, and if the file name in audit_data(4) is the same as the file in question, do not clean the file.
Issue the command auditreduce with the -O (capital o) option.
Provide the workstation name as the argument to -O, and the incomplete file name. To delete the original record, use the -D option.
$ auditreduce -O workstation 19970413120429.not_terminated.workstation |
This creates a new audit file with the correct name, cleans up pointers to other files, and copies all the records to the new file. The end-time is the time when the command was executed; the correct suffix is workstation, explicitly specified.
If you did not use the -D option, verify that the new file contains the original file's records, then delete the original file.
$ ls -l 19970413120429*.workstation $ rm 19970413120429.not_terminated* |