Auditreduce problems
in [Solaris]
|
Prev: Anyone using ZFS on a Dell 1850 w/ LSI Megaraid?
Next: "screen not found" - sun monitor, sun framebuffer
From: rdbrown06 on 9 Sep 2009 09:52 I am running Solaris 8 on a sun box and having an audit problem. Per NISPOM standards I have to do auditing on events, and as you know BSM turned on creates tons of events so I have a filter_audit script I run to filter these events based on keywords. This process normally take a few hours for a 1-2 GB weekly audit file. The other day I ran the script like normal and it ripped through it in about 2 seconds, creating a reduced audit file with nothing in it. I tried again and the same thing happened. While doing some troubleshooting I think I found the problem and that is the executable "auditreduce", which my script calls, only produces 2 events, 1 from 1970 and 1 from the current date. This happens when i run ## auditreduce -R /archive1/auditlogs (the place where my logs are stored). When I run the same command on a similar machine I actually get tons of filtered events like normal. Both auditreduces are identical as are the scripts calling it. Many google searches have turned up nothing. Any help would be great.
From: Stefaan A Eeckels on 26 Sep 2009 10:01
On Wed, 9 Sep 2009 06:52:24 -0700 (PDT) rdbrown06 <rdbrown06(a)gmail.com> wrote: > The other day I ran the script like normal and it ripped through it in > about 2 seconds, creating a reduced audit file with nothing in it. I > tried again and the same thing happened. While doing some > troubleshooting I think I found the problem and that is the executable > "auditreduce", which my script calls, only produces 2 events, 1 from > 1970 and 1 from the current date. This happens when i run ## > auditreduce -R /archive1/auditlogs (the place where my logs are > stored). The behaviour you describe is what happens when auditing has not been turned on. Are you sure no-one ran bsmunconv? Are you sure there is audit data in /archive1/auditlogs? > When I run the same command on a similar machine I actually get tons > of filtered events like normal. Both auditreduces are identical as are > the scripts calling it. It's unlikely that the programs are to blame. You either have no audit data, or are looking in the wrong directory. -- Stefaan A Eeckels -- Ninety-Ninety Rule of Project Schedules: The first ninety percent of the task takes ninety percent of the time, and the last ten percent takes the other ninety percent. |