Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1921: Direct audit db size is growing even after disabling auditing at zone level

Centrify DirectAudit ,  

12 April,16 at 11:47 AM

Applies to: All versions of Centrify DirectAudit

Question:

It is noticed that on a Centrify machine running DirectAudit, the /var/centrifyda/audit.db size is more than 2 GB. Auditing on zone is disabled then why is the file size increasing and
filling up the disk? How do one clean up audit.db file? Can it just be deleted?

Example:

 

root@qribrdcassas01:/var/centrifyda#dainfo

Daemon Status:      Offline
Auditing for zone:  Disabled
Current Collector:
Offline Store Size: 1.07 GB
Direct Audit is enabled on the following:

     /bin/bash
     /bin/csh
     /bin/ksh
....

 

Direct Audit is NOT enabled on the following:

     /bin/jsh (linked to ../../sbin/sh)
     /bin/pfsh (linked to ../../sbin/sh)
     /bin/sh (linked to ../../sbin/sh)
.....
   
root@qribrdcassas01:/var/centrifyda#ls -l

total 3909703

srwxrwxrwx   1 root     root           0 Feb  7 17:46 audit

-rw-------   1 root     was      2000093184 Feb  7 17:44 audit.db
-rw-r--r--   1 root     root         599 Jan 23  2010 audited.lst

Answer:

Even though auditing is disabled at the zone level, auditing on all shells on the Linux/Unix will remain enabled until dacontrol -d -a is run. If you do not wish to audit this machine, the correct procedure is to disable auditing on all shells on the unix machine as well.

1) As root, run dacontrol -d -a (where 'd' means 'disable' and 'a' is for all).

2) If the audit.db is not important for you, you can delete the same (after stopping dad).

3) After this, run dadinfo --diag (as root) and see if its still growing.

Also note that if collector is unreachable, the auditing will spool to the local file /var/centrifyda/audit.db file and it will grow in size.  Once a collector is available, de-spooling process takes care of taking data out from local spool and sending it to the collector (which then stores the data in its permanent location i.e. database).


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.