System Administration Guide: Security Services

ProcedureHow to Clean Up a not_terminated Audit File

Occasionally, an audit daemon exits while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct timestamp.

  1. List the files with the not_terminated string on your audit file system in order of creation.

    # ls -R1t audit-directory*/files/* | grep not_terminated

    Lists files in subdirectories.


    Lists files from most recent to oldest.


    Lists the files in one column.

  2. Clean up the old not_terminated file.

    Specify the name of the old file to the auditreduce -O command.

    # auditreduce -O system-name old-not-terminated-file
  3. Remove the old not_terminated file.

    # rm system-name old-not-terminated-file

Example 30–38 Cleaning Up Closed not_terminated Audit Files

In the following example, not_terminated files are found, renamed, then the originals are removed.

ls -R1t */files/* | grep not_terminated
# cd */files/egret.1
# auditreduce -O egret 20030908162220.not_terminated.egret
# ls -1t
20030908162220.not_terminated.egret Current audit file
20030827230920.20030830000909.egret Input (old) audit file
# rm 20030827215359.not_terminated.egret
# ls -1t
20030908162220.not_terminated.egret Current audit file
20030827230920.20030830000909.egret Cleaned up audit file

The start timestamp on the new file reflects the time of the first audit event in the not_terminated file. The end timestamp reflects the time of the last audit event in the file.