Hello, AIX gurus!
I have a server with AIX auditing switched on. The auditing is running in BIN mode and logs the events, but the collection bins do not seem to be rotating. The configuration is:
# cat /etc/security/audit/config
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
# cat /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail $bin
# ls -l /audit
total 443656
-rw------- 1 root system 0 Mar 28 11:46 auditb
-rw-rw---- 1 root system 8192 Mar 28 18:18 bin1
-rw-rw---- 1 root system 211225621140 Jun 12 11:00 bin2
drwxr-xr-x 2 root system 256 Jan 22 22:24 lost+found
-rw------- 1 root system 15907358 Mar 28 17:44 trail
Note how bin2 file is 211 MBytes in size, however the config file's "binsize" parameter value suggests that the bins should be rotated after the collection size reaches 10 KBytes. Also note that the file "trail" has the same modification date as file "bin1", so it looks like the rotation hasn't happened since bin1 was switched to bin2.
The system is AIX 5.3.7 .
I can not see anythin unusual, except for the absence of "audit shutdown" command in the /etc/rc.shutdown. Is it possible that the auditing program got "confused" because it wasn't shut down properly when the system rebooted and just kept logging to the same file? The system was rebooted 76 days ago (around 6th April, 2009) and the "non-active" bin file (bin1) has a modigication date of 28th of March.
Does anyone have any idea what would be causing this?
Thanks in advance.
Greg.
I have a server with AIX auditing switched on. The auditing is running in BIN mode and logs the events, but the collection bins do not seem to be rotating. The configuration is:
# cat /etc/security/audit/config
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
# cat /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail $bin
# ls -l /audit
total 443656
-rw------- 1 root system 0 Mar 28 11:46 auditb
-rw-rw---- 1 root system 8192 Mar 28 18:18 bin1
-rw-rw---- 1 root system 211225621140 Jun 12 11:00 bin2
drwxr-xr-x 2 root system 256 Jan 22 22:24 lost+found
-rw------- 1 root system 15907358 Mar 28 17:44 trail
Note how bin2 file is 211 MBytes in size, however the config file's "binsize" parameter value suggests that the bins should be rotated after the collection size reaches 10 KBytes. Also note that the file "trail" has the same modification date as file "bin1", so it looks like the rotation hasn't happened since bin1 was switched to bin2.
The system is AIX 5.3.7 .
I can not see anythin unusual, except for the absence of "audit shutdown" command in the /etc/rc.shutdown. Is it possible that the auditing program got "confused" because it wasn't shut down properly when the system rebooted and just kept logging to the same file? The system was rebooted 76 days ago (around 6th April, 2009) and the "non-active" bin file (bin1) has a modigication date of 28th of March.
Does anyone have any idea what would be causing this?
Thanks in advance.
Greg.
