Applies to: All versions of Centrify DirectAudit
It is noticed that on a Centrify machine running DirectAudit, the /var/centrifyda/audit.db size is more than 2 GB. Auditing on zone is disabled then why is the file size increasing and
filling up the disk? How do one clean up audit.db file? Can it just be deleted?
Daemon Status: Offline
Auditing for zone: Disabled
Offline Store Size: 1.07 GB
Direct Audit is enabled on the following:
Direct Audit is NOT enabled on the following:
/bin/jsh (linked to ../../sbin/sh)
/bin/pfsh (linked to ../../sbin/sh)
/bin/sh (linked to ../../sbin/sh)
srwxrwxrwx 1 root root 0 Feb 7 17:46 audit
-rw------- 1 root was 2000093184 Feb 7 17:44 audit.db
-rw-r--r-- 1 root root 599 Jan 23 2010 audited.lst
Even though auditing is disabled at the zone level, auditing on all shells on the Linux/Unix will remain enabled until dacontrol -d -a is run. If you do not wish to audit this machine, the correct procedure is to disable auditing on all shells on the unix machine as well.
1) As root, run dacontrol -d -a (where 'd' means 'disable' and 'a' is for all).
2) If the audit.db is not important for you, you can delete the same (after stopping dad).
3) After this, run dadinfo --diag (as root) and see if its still growing.
Also note that if collector is unreachable, the auditing will spool to the local file /var/centrifyda/audit.db file and it will grow in size. Once a collector is available, de-spooling process takes care of taking data out from local spool and sending it to the collector (which then stores the data in its permanent location i.e. database).