| |
The server protects audit files to prevent unauthorized users from accessing or deleting the files. However, hardware problems, software problems, or power failures can cause the loss of audit data records or entire audit data files.
WARNING: Improper shutdown of the server is a potential cause of file corruption (including audit file corruption). Be sure to properly down the server, then exit from the server, before turning off the server's power.
In addition to audit loss that can be caused by hardware or software problems or loss of power to the machine, you can lose audit events if the configured number of audit files are filled or disk space fills up and the audit trail is improperly configured. The server provides the following three configuration options for handling audit overflow.
Archive the current audit file. When an audit file reaches its maximum size or the server is unable to write an audit record (for example, the disk is full), the server archives the current audit file. This consists of saving the current audit file as an old audit file and creating a new current audit file.
The server can maintain online storage for up to 15 old audit files, where the maximum number of old audit files is a configuration setting of the Audit File object's Audit Policy. If the server already has the maximum number of old online audit files, it deletes the oldest of the old audit files. Use of this option is not recommended, as it can lead to data loss.
Continue without auditing. Actions which would otherwise be audited are not audited by the server. Use of this option is not recommended, except in emergency situations, as it results in the loss of audit coverage.
Disallow audited/auditable events. If the audit trail is a volume audit trail, then any facility which is potentially auditable (such as NCP service) is disallowed, even if that particular event wouldn't cause an audit record to be generated. If the audit trail is a container audit trail, then any event which requires auditing is disallowed, but only if that particular event would cause an audit record to be generated. If the audit trail is an external audit trail, then submission of audit records is disallowed (that is, external audit records are rejected).
Audit Trail Overflow, Audit Trail Overflow, and Audit Trail Overflow provide more information on how to recover from audit overflow for volume, container, and external audit trails, respectively.
As the server approaches the configured file size limit for an audit file, it sends warnings to the server console. When the server detects a full condition in any audit file (volume, container, or external) and the selected option for that audit trail is to disallow audited/auditable events or to continue without auditing, it sends a warning to the server console and to any logged-in auditor of the audit trail.
At this point, the auditor must resolve the full condition by backing up and deleting old audit files (or ordinary files, if the situation was caused because the volume is full) and performing a manual archive, which causes the current audit file to become an old audit file, and starts a new current audit file.
WARNING: When you see a message indicating that an audit trail is full, you should take immediate action to resolve the condition. Until you do, audit data will be lost (if the continue without auditing option is in use) or users will be unable to use the server (if the disallow audited/auditable events option is in use).
| |