Quote:
Originally Posted by xmdms
Hi,
Has anyone ever heard of the audit daemon was suspended due to space threshold being reached and possibly hang a server? How do you go about increasing the threshold or delete old files when the treshold is reached?
I am running RHAS 3.0 on HP Itanium servers.
Thank you in advance and have a great day.
|
When the filesystem containing the audit logs exceeds 80% utilization, things start randomly hanging on the system, auditd service will definitely get hanged up if the /var system reaches 100% on disk space. Normally audit services write save.* and bin.* files in /var/log/audit.d/ directory. If the /var file system is 100 % full then the audit services may hang up.
you can make changes to /etc/audit/audit.conf for the configuration and filesets.conf to specify the rulesets for the same.
Its better to turn off the notify logging as it puts unnecessary amount of logs in log files.
check out this statement in audit.conf
notify = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T 20%";
This will make audit services go into "suspend mode" or hanged up whenever the /var filesystem reaches 80% utilization. Change the above line to
notify = "/bin/true";
this will make sure that audbin command is not able to suspend audit services.
Anyways you can always stop the audit services if you are running a server. Make use of chkconfig command to turn audit service off.
Rgds,
Rahul.