1. Cloud Control Host Lifecycle Management Guide
  2. Monitoring and Managing Hosts
  3. Additional Setup for Real-time Monitoring
  4. Preparing To Monitor Solaris Hosts
  5. Managing Audit Log Files

Managing Audit Log Files

Cloud Control Real-time Monitoring only reads the audit logs; it does not delete the logs. This might flood the system with log files and prevent it from logging additional events. To manage and delete old audit events while maintaining minimum monitoring requirements, follow these steps:

  1. The auditing policy can be set to automatically drop new events (keeping only a count of the dropped events) rather than suspending all processes by running the following command:

    # auditconfig -setpolicy cnt

  2. Run the following command to force the audit daemon to close the current audit log file and use a new log file:

    /usr/sbin/audit -n

  3. Run the following command to merge all existing closed auditing log files into a single file with an extension of .trash and then delete the files:

    /usr/sbin/auditreduce -D trash

  4. Create a cron job to periodically run the commands in Step 2 and 3 above. The frequency at which these two commands are run can be adjusted based on the anticipated event volume and the amount of disk space allocated to auditing. The only requirement is that the time between the audit -s command and the auditreduce - D trash command is at least 15 minutes or twice the reporting interval if that is changed.