Managing Auditing in Oracle^® Solaris 11.3

How to Change Audit Queue Controls

The audit service provides default values for audit queue parameters. You can inspect, permanently change, and temporarily change these values with the auditconfig command.

Before You Begin

You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

1. View the current values of the audit queue controls.

   $ auditconfig -getqctrl
   ...

   For an explanation of the output, see Displaying Audit Service Defaults.

2. Modify selected audit queue controls.

   For examples and a description of the audit queue controls, see the auditconfig(1M) man page.

   • To modify some or all audit queue controls, use the –setqctrl option.

     # auditconfig [ -t ] -setqctrl hiwater lowater bufsz interval

     The high water (hiwater) and low water (lowater) values indicate the points at which processes are respectively suspended and resume. The points are measured in terms of the number of undelivered audit records. The buffer size (bufsz) refers to the buffer size of the queue. Interval indicates the delay, measured in number of ticks, between generation of audit output.

     For example, set the interval value to 10 without setting the other controls.

     # auditconfig -setqctrl 0 0 0 10

   • To modify a specific audit queue control, specify its option. The –setqdelay option is the equivalent of –setqctrl 0 0 0 interval, as in auditconfig -setqdelay 10.

     # auditconfig [ -t ] -setqhiwater value
     # auditconfig [ -t ] -setqlowater value
     # auditconfig [ -t ] -setqbufsz value
     # auditconfig [ -t ] -setqdelay value

Example 14  Resetting an Audit Queue Control to the Default

The administrator sets all audit queue controls, then changes the lowater value in the repository back to the default.

# auditconfig -setqctrl 200 5 10216 10
# auditconfig -setqctrl 200 0 10216 10
configured audit queue hiwater mark (records) = 200
no configured audit queue lowater mark
configured audit queue buffer size (bytes) = 10216
configured audit queue delay (ticks) = 10
active audit queue hiwater mark (records) = 200
active audit queue lowater mark (records) = 5
active audit queue buffer size (bytes) = 10216
active audit queue delay (ticks) = 10

Later, the administrator sets the lowater value to the default for the current session.

# auditconfig -setqlowater 10
# auditconfig -getqlowater
configured audit queue lowater mark (records) = 10
active audit queue lowater mark (records) = 10