IPO Server Edition 11.1.2.2.0 build 20 /var/log/audit/ folder huge

[mhoxie]

IPO Server Edition 11.1.2.2.0 build 20

Saw last night that my disk space was at 90% full.

Rooted in to see that the /var/log/audit/ folder was 57 gigs. Onex logging is off, and Onex is disabled. Besides, that log folder is /opt/avaya/onexportal/11.1.2200_30/apache-tomcat/logs. That folder is fine in size.

Anyone know what is causing these logs and how do I disable it? This server was ignited November 2022, and it's August 2023, and the folder was nearly 60 gigs. I deleted the files, but this is untenable for a server less than a year old.

The logs are as such:

/var/log/audit/audit.log.1 audit.log.2 audit.log.3 etc etc.

They contain text like this:

type=PROCTITLE msg=audit(1692913707.812:13664256): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
type=AVC msg=audit(1692913713.496:13664257): avc:  denied  { name_connect } for  pid=25029 comm=72733A616374696F6E203339207175 dest=5051 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692913713.496:13664257): arch=c000003e syscall=42 success=no exit=-13 a0=50 a1=7f1a5c007080 a2=10 a3=5 items=0 ppid=1 pid=25029 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=72733A616374696F6E203339207175 exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=SOCKADDR msg=audit(1692913713.496:13664257): saddr=020013BB36AC0C310000000000000000
type=PROCTITLE msg=audit(1692913713.496:13664257): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
type=AVC msg=audit(1692913723.646:13664258): avc:  denied  { name_connect } for  pid=25029 comm=72733A616374696F6E203220717565 dest=5051 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1692913723.646:13664258): arch=c000003e syscall=42 success=no exit=-13 a0=55 a1=7f1a4c006fa0 a2=10 a3=5 items=0 ppid=1 pid=25029 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=72733A616374696F6E203220717565 exe="/usr/sbin/rsyslogd" subj=system_u:system_r:syslogd_t:s0 key=(null)
type=SOCKADDR msg=audit(1692913723.646:13664258): saddr=020013BB36AC0C310000000000000000
type=PROCTITLE msg=audit(1692913723.646:13664258): proctitle=2F7573722F7362696E2F727379736C6F6764002D6E
type=AVC msg=audit(1692913726.774:13664259): avc:  denied  { write } for  pid=17416 comm="sudo" name="tallylog" dev="sda3" ino=1573490 scontext=system_u:system_r:avaya_t:s0 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1692913726.774:13664259): arch=c000003e syscall=2 success=yes exit=5 a0=7f2ac4952550 a1=2 a2=7fff3bd7f490 a3=3 items=1 ppid=17415 pid=17416 auid=4294967295 uid=994 gid=994 euid=0 suid=0 fsuid=0 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:avaya_t:s0 key="logins"
type=CWD msg=audit(1692913726.774:13664259):  cwd="/opt/webcontrol"
type=PATH msg=audit(1692913726.774:13664259): item=0 name="/var/log/tallylog" inode=1573490 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:faillog_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1692913726.774:13664259): proctitle=7375646F002D53002F6574632F696E69742E642F6D656469616D616E6167657200737461747573
type=USER_AUTH msg=audit(1692913726.780:13664260): pid=17416 uid=994 auid=4294967295 ses=4294967295 subj=system_u:system_r:avaya_t:s0 msg='op=PAM:authentication grantors=pam_tally2,pam_faillock,pam_unix acct="wcp" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=SYSCALL msg=audit(1692913726.781:13664261): arch=c000003e syscall=2 success=yes exit=5 a0=7f2ac4952550 a1=2 a2=7fff3bd7f750 a3=3 items=1 ppid=17415 pid=17416 auid=4294967295 uid=994 gid=994 euid=0 suid=0 fsuid=0 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:avaya_t:s0 key="logins"
type=CWD msg=audit(1692913726.781:13664261):  cwd="/opt/webcontrol"
type=PATH msg=audit(1692913726.781:13664261): item=0 name="/var/log/tallylog" inode=1573490 dev=08:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:faillog_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1692913726.781:13664261): proctitle=7375646F002D53002F6574632F696E69742E642F6D656469616D616E6167657200737461747573

 

[wayner3]

mhoxie I have several systems on that release and have had the same issue with the Audit files (I Removed all but a few). The /var and root directories (df -h)were over 90%.In addition to the Audit files and
Onex logs that were increasing the disk space I noticed that the catalina.out file was at 12gig in size.
If you:
cd /opt/Avaya/apache-tomcat/logs
ls -ltrh catalina.out (will show you the size in readable format).
Lastly, I noted from a previous problem ticket for log files increasing was to change "debug" on the UCM Web manager solution page (Administrator icon next to the Question mark and press Preferences)
the mode of the server was ‘debugging’ this is why there were lot of Logs.