Applies to: All versions of Centrify DirectAudit
Does DirectAudit continue to audit the sessions when disk fills up ? Can disk space thresholds be adjusted ? Will users be able to login during this time ?
Lets run through two scenario's i.e., what happens when disk fills up when DirectAudit daemon (dad ) is online or offline.
Scenario 1: DirectAudit daemon (dad ) is online with all-shells enabled:
1) If available space on the disk is over the threshold, DirectAudit will still let the user login, but no auditing will occur.
2) There will be no warning for the login user. This is intentional as you may not want to tell the user that auditing stopped.
3) dainfo --diag will warn that DirectAudit may not be auditing due to the filesystem space issue as shown in the example:
Database filesystem usage: 5.66 GB used, 5.69 GB total, 29.63 MB free
WARNING: 100% of the filesystem which contains the offline database is in use. Continuous offline activity may cause auditing to stop if disk space runs low.
The dainfo --diag command will warn when the disk reaches a specified percentage of full. The default value, which is set in the /etc/centrifyda/centrify.conf file is 10%. The DirectAudit daemon, dad, checks disk space every hour. You can change this setting, as well as the definition for full, in the /etc/centrifyda/centrify.conf file;
# Warn with dainfo when disk is %50 full
# Check disk space every 60 seconds. Must be 30 or greater.
4) If addebug was on, you would see above error in /var/log/centrifyda.log.
5) If you had an already open session that is being audited and dad hits the spool.diskspace.min it stops auditing. When the check for free space passes then the auditing of session begins again
6) If you open a session when dad is not auditing due to space issues, it does not audit that session when we do start auditing again. It behaves like an open session before you enable auditing.
Scenario 2: DirectAudit daemon (dad ) is offline with all-shells enabled:
1) The user can login when dad is offline.
2) Sessions are spooled locally, until dad becomes online again at which point it will despool to the collector.
3) If the filesystem becomes full it will stop auditing any open sessions. It will periodically check
a) whether it can despool
b) whether the free space check passes.