Configuring auditing

Using auditlog to specify the high water mark

The high water mark controls the amount of data stored in an audit buffer before the auditing subsystem switches to the next available buffer. Whenever an audit record would make the amount of data in the buffer larger than the high water mark, the auditing subsystem flags the buffer as writable and switches to the next available buffer. It also awakens a daemon process that writes the flagged buffer to the audit event log file and returns it to the set of available buffers. The default high water mark is the size of the audit buffer itself. The audit buffer size is the system tunable parameter ADT_BSIZE. This is defined in the /etc/conf/mtune.d/audit file.

To specify a new high water mark, use the -v option of the auditlog command. This option takes an integer as an argument; the integer specifies the size of the high water mark in bytes.

For example, to set the high water mark to 1024 bytes, enter the following command:

auditlog -v 1024

The valid range of values is from zero (0) to ADT_BSIZE. If the value for the high water mark is not within the correct range, auditlog prints the following error message:

   invalid high water mark specified

   Audit Buffer High Water Mark Must Be >= 0 or
   <= current buffer size in bytes bytes
The auditlog command replaces the string current buffer size in bytes with the appropriate number, based on your system's value for ADT_BSIZE.

To determine an appropriate value for the high water mark, you need to evaluate the tradeoffs. A relatively low value ensures that the buffers are written to the log file more frequently; however, this increases system overhead. A relatively high value can improve performance but also increases the risk that large amounts of audit data will be in a buffer if the system crashes.

Writing records directly to the log file

If you set the high water mark to a value of zero, the auditing subsystem bypasses the audit buffer and writes audit records directly to the log file. This direct write allows you to use the -w option of auditrpt to monitor events as they occur. Bypassing the audit buffer increases the number of disk writes and process switches that take place. This extra processing will affect the performance of the machine and significantly reduce system throughput.

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004