Cleaning up an Open Audit File

Occasionally, if an audit daemon dies while its audit file is still open, or a server becomes inaccessible and forces the workstation to switch to a new server, an audit file remains in which the end-time in the file name remains the string not_terminated, even though the file is no longer used for audit records.

The auditreduce(1M) command processes files marked not_terminated, but because such files may contain incomplete records at the end, future processing may generate errors. To avoid errors, clean the incomplete file with the -O option of auditreduce. This creates a new file containing all the records that were in the old one, but with a proper file name time stamp. This operation loses the previous file pointer that's kept at the beginning of each audit file.