Handling Nonactive Files Marked not_terminated

The auditreduce command processes files marked not_terminated, but because such files can contain incomplete records at the end, future processing can generate errors. To avoid errors, clean the files of any incomplete records. Before cleaning the files, make sure that auditd is not currently writing to the files you want to clean. To check, look at the audit_data file to determine the current process number of auditd. If that process is still running, and if the file name in audit_data is the same as the file in question, do not clean the file.

You can clean a file with the -O option of auditreduce. This creates a new file containing all the records that were in the old one, but with a proper file name time stamp. This operation loses the previous file pointer that's kept at the beginning of each audit file.

Or you can write a program to read through the file, locate the last record, rename the file, and clear out any incomplete records. A program can also keep the previous file pointer intact and determine which file to use next.