How to Clean Up a not_terminated Audit File
Occasionally, an audit daemon exits while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct timestamp.
-
List the files with the not_terminated string on your audit file system in order of creation.
# ls -R1t audit-directory*/files/* | grep not_terminated
- -R
-
Lists files in subdirectories.
- -t
-
Lists files from most recent to oldest.
- -1
-
Lists the files in one column.
-
Clean up the old not_terminated file.
Specify the name of the old file to the auditreduce -O command.
# auditreduce -O system-name old-not-terminated-file
-
Remove the old not_terminated file.
# rm system-name old-not-terminated-file
Example 30–35 Cleaning Up Closed not_terminated Audit Files
In the following example, not_terminated files are found, renamed, then the originals are removed.
ls -R1t */files/* | grep not_terminated …/egret.1/20030908162220.not_terminated.egret …/egret.1/20030827215359.not_terminated.egret # cd */files/egret.1 # auditreduce -O egret 20030908162220.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Input (old) audit file 20030827215359.not_terminated.egret # rm 20030827215359.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Cleaned up audit file |
The start timestamp on the new file reflects the time of the first audit event in the not_terminated file. The end timestamp reflects the time of the last audit event in the file.
- © 2010, Oracle Corporation and/or its affiliates