Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1885: How does DirectAudit handle auditing of sesions, login when system is running low/out of disk space

Centrify DirectAudit ,   Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:02 AM

Applies to: All versions of Centrify DirectAudit

Question:
Does DirectAudit continue to audit the sessions when disk fills up ?  Can disk space thresholds be adjusted ? Will users be able to login during this time ?

Answer:
Lets run through two scenario's i.e., what happens when disk fills up when DirectAudit daemon (dad ) is online or offline.

Scenario 1: DirectAudit daemon (dad ) is online with all-shells enabled:

1)  If available space on the disk is over the threshold, DirectAudit will still let the user login, but no auditing will occur.
2)  There will be no warning for the login user. This is intentional as you may not want to tell the user that auditing stopped.
3)  dainfo --diag will warn that DirectAudit may not be auditing due to the filesystem space issue as shown in the example:

Database filesystem usage: 5.66 GB used, 5.69 GB total, 29.63 MB free
WARNING: 100% of the filesystem which contains the offline database is in use. Continuous offline activity may cause auditing to stop if disk space runs low.

The dainfo --diag command will warn when the disk reaches a specified percentage of full. The default value, which is set in the /etc/centrifyda/centrify.conf file is 10%. The DirectAudit daemon, dad, checks disk space every hour. You can change this setting, as well as the definition for full, in the /etc/centrifyda/centrify.conf file;

for example:


# Warn with dainfo when disk is %50 full
spool.diskspace.min: 50

# Check disk space every 60 seconds. Must be 30 or greater.
dad.timer.diskspace: 60


4)  If addebug was on, you would see above error in /var/log/centrifyda.log.
5) If you had an already open session that is being audited and dad hits the spool.diskspace.min it stops auditing. When the check for free space passes then the auditing of session begins again
6)  If you open a session when dad is not auditing due to space issues, it does not audit that session when we do start auditing again. It behaves like an open session before you enable auditing.

Scenario 2: DirectAudit daemon (dad ) is offline with all-shells enabled:

1)  The user can login when dad is offline.
2)  Sessions are spooled locally, until dad becomes online again at which point it will despool to the collector.
3)  If the filesystem becomes full it will stop auditing any open sessions. It will periodically check
       a) whether it can despool
       b) whether the free space check passes.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.