When anomalous system interruptions occur, the audit service exits while its audit file is still open. Or, a file system becomes inaccessible and forces the system to switch to a new file system. In such instances, an audit file remains with the string not_terminated as the end time stamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct time stamp.
Before You Begin
You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2.
# ls -R1t audit-directory */* | grep not_terminated
Lists files in subdirectories.
Lists files from most recent to oldest.
Lists the files in one column.
Specify the name of the old file to the auditreduce -O command.
# auditreduce -O system-name old-not-terminated-file
# rm system-name old-not-terminated-file
In the following example, not_terminated files are found, renamed, then the originals are removed.
ls -R1t */* | grep not_terminated …/egret.1/20100908162220.not_terminated.egret …/egret.1/20100827215359.not_terminated.egret # cd */egret.1 # auditreduce -O egret 20100908162220.not_terminated.egret # ls -1t 20100908162220.not_terminated.egret Current audit file 20100827230920.20100830000909.egret Cleaned-up audit file 20100827215359.not_terminated.egret Input (old) audit file # rm 20100827215359.not_terminated.egret # ls -1t 20100908162220.not_terminated.egret Current audit file 20100827230920.20100830000909.egret Cleaned-up audit file
The start time stamp on the new file reflects the time of the first audit event in the not_terminated file. The end time stamp reflects the time of the last audit event in the file.