Occasionally, if an audit daemon dies while its audit file is still open, or a server becomes inaccessible and forces the workstation to switch to a new server, an audit file remains in which the end-time in the file name remains the string not_terminated, even though the file is no longer used for audit records.
The auditreduce(1M) command processes files marked not_terminated, but because such files may contain incomplete records at the end, future processing may generate errors. To avoid errors, clean the incomplete file with the -O option of auditreduce. This creates a new file containing all the records that were in the old one, but with a proper file name time stamp. This operation loses the previous file pointer that's kept at the beginning of each audit file.
As role admin, at label admin_high
check the /etc/security/audit_data file to determine the current process number of the audit daemon.
If that process is still running, and if the file name in audit_data(4) is the same as the file in question, do not clean the file.
Issue the command auditreduce with the -O (capital o) option.
Provide the workstation name as the argument to -O, and the incomplete file name. To delete the original record, use the -D option.
$ auditreduce -O workstation 19970413120429.not_terminated.workstation |
This creates a new audit file with the correct name, cleans up pointers to other files, and copies all the records to the new file. The end-time is the time when the command was executed; the correct suffix is workstation, explicitly specified.
If you did not use the -D option, verify that the new file contains the original file's records, then delete the original file.
$ ls -l 19970413120429*.workstation $ rm 19970413120429.not_terminated* |