Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

How to Clean Up a not_terminated Audit File

When anomalous system interruptions occur, the audit service exits while its audit file is still open. Or, a file system becomes inaccessible and forces the system to switch to a new file system. In such instances, an audit file remains with the string not_terminated as the end time stamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct time stamp.

Before You Begin

You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2.

  1. List the files with the not_terminated string on your audit file system in order of creation.
    # ls -R1t audit-directory */* | grep not_terminated
    –R

    Lists files in subdirectories.

    –t

    Lists files from most recent to oldest.

    –1

    Lists the files in one column.

  2. Clean up the old not_terminated file.

    Specify the name of the old file to the auditreduce -O command.

    # auditreduce -O system-name old-not-terminated-file
    
  3. Remove the old not_terminated file.
    # rm system-name old-not-terminated-file
    
Example 5-16  Cleaning Up Closed not_terminated Audit Files

In the following example, not_terminated files are found, renamed, then the originals are removed.

ls -R1t */* | grep not_terminated
…/egret.1/20100908162220.not_terminated.egret
…/egret.1/20100827215359.not_terminated.egret

# cd */egret.1
# auditreduce -O egret 20100908162220.not_terminated.egret
# ls -1t
20100908162220.not_terminated.egret Current audit file

20100827230920.20100830000909.egret Cleaned-up audit file

20100827215359.not_terminated.egret Input (old) audit file

# rm 20100827215359.not_terminated.egret
# ls -1t
20100908162220.not_terminated.egret Current audit file

20100827230920.20100830000909.egret Cleaned-up audit file

The start time stamp on the new file reflects the time of the first audit event in the not_terminated file. The end time stamp reflects the time of the last audit event in the file.