Using auditlog to specify the action when the log file is full
A log full condition is reached if one of the following occurs:
The auditing subsystem takes one of the following actions when a log full condition
The log file is a regular file and it has reached the size specified by the
option of the
The log file is a regular file and the filesystem it resides in runs out of space.
The log file is a special character device, such as a tape drive, and the device cannot hold any more data.
The action taken depends on the value of the
parameter in the
The value for this parameter in the distributed system is
You can set the value of the AUDIT_LOGFULL parameter
System Defaults Manager
For example, to set auditing to be disabled upon a log full
condition, enter the following command:
shut down the computer system
switch to an alternate log file and (if desired) run a program
defadm audit AUDIT_LOGFULL=DISABLE
You can override the value of the
parameter with the
options of the
option specifies that auditing will be disabled,
option specifies that the computer system will be shutdown
options specify a switch to an alternate log file.
The ability to switch to an alternate log file, when the primary
log file is full, allows for continuous auditing.
Consider configuring your system to
switch to an alternate log file and to execute a program when the log switch occurs.
By doing so, you can create a continuous series of log files without
losing any audit data.
``Specifying continuous auditing''
presents information on ways to accomplish this.
If you want the highest possible level of security and you cannot
configure an alternate log,
you should shut your system down when the log file becomes full.
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004