Using the Audit Manager

Maintaining collection directories

These tasks are related to directory maintenance:

Both collection files (generated by the subsystem) and compaction files (generated by the audit daemon) are written to directories you specify. An audit session may contain files written to many different directories. At the conclusion of a session, only the compaction files remain, because the collection files are removed by the subsystem as they are read by the audit daemon. You do not need to keep track of the directories into which files are written because a session log file maintains this information.

You can improve the system's performance by placing the audit directories on a filesystem that resides on a different physical device from the rest of the filesystems. This reduces competition for disk resources. Also, auditing requires large amounts of space, even with compaction. The subsystem warns you when disk space is low, and it eventually disables auditing if the free space of a filesystem is too low. For this reason, multiple directories are supported by the subsystem and the daemon. If an error occurs in writing to a directory or if space is exhausted, the subsystem and the daemon attempt to use alternate directories to continue.

Listing collection directories

In the Audit Manager, select Collection -> Directories -> List.

You see a list of the current audit directories.

Creating a collection directory

In the Audit Manager, select Collection -> Directories -> Create. Enter each filename as an absolute pathname. There is no limit on the number of directories you may specify.

You also have the option of adding the directory to the list of available directories used by the audit subsystem:

At End
adds new directory at end of existing list.

inserts new directory before an existing one.

does not add this directory to the collection directories list.
If no directories are specified, the subsystem and the daemon create all files in the root filesystem using the reserved audit subsystem directory /tcb/audittmp (the default configuration file setup). Directories are used sequentially as they are filled with data; this is why it is necessary to specify the position. When session files are backed up and removed from the audit directories, the system places new audit data in the first directory.

Deleting a collection directory

In the Audit Manager, select Collection -> Directories -> Delete. Enter the directory to be deleted. Press <F3> for a list.

Adding a collection directory entry

In the Audit Manager, select Collection -> Directories -> Add. Enter the directories as absolute pathnames.

You can also add an existing directory to the list used by the audit subsystem. Directories are used in the order listed. A new entry can either be inserted into the list or placed at the end. When you are asked to select the directory entry to be added to the list and specify the placement, select At End or Insert.

Removing a collection directory entry

In the Audit Manager, select Collection -> Directories -> Remove. Select the entry to be removed. Press <F3> for a list. This removes an audit directory entry from the list of available directories.

Next topic: Generating audit reports
Previous topic: Monitoring disk space consumption

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003