The cifs.audit.enable option is turned off automatically

Hi All,

The cifs.audit.enable option is turned off automatically when after 30 audit logs were logged. When I checked the ASUP, I have got the following error msg in ASUP.

Tue Dec  1 12:06:36 SGT [filer01: cifs.auditfile.autosaved.onsize:info]: Autosaving the CIFS audit log file (/vol/vol1/Share1/log/adtlog.evt)
Tue Dec  1 12:06:37 SGT [filer01: wafl.quota.qtree.exceeded:notice]: tid 20: tree quota exceeded on volume vol1. Additional warnings will be suppressed for approximately 60 minutes or until a 'quota resize' is performed.
Tue Dec  1 12:06:37 SGT [filer01: cifs.auditfile.logFile.IOError:error]: ALF I/O error 0x1c (No space left on device) on file /vol/vol1/Share1/log/adtlog.evt.tmp: writing.
Tue Dec  1 12:06:37 SGT [filer01: cifs.audit.tmpfile.IOerr:error]: Access Logging Facility (ALF) I/O error 0x1c (No space left on device) on file /etc/log/cifsaudit.alf: I/O error while writing event records to temporary file. Use the command 'cifs audit start' to restart CIFS auditing.
Tue Dec  1 12:06:37 SGT [filer01:]: ALF: CIFS auditing stopped.

The current cifs.audit settings are as follow:

cifs.audit.account_mgmt_events.enable off       
cifs.audit.autosave.file.extension timestamp 
cifs.audit.autosave.file.limit 30       
cifs.audit.autosave.onsize.enable on       
cifs.audit.autosave.onsize.threshold 75%       
cifs.audit.autosave.ontime.enable on       
cifs.audit.autosave.ontime.interval 1d       
cifs.audit.enable            off       
cifs.audit.file_access_events.enable on       
cifs.audit.liveview.enable   off       
cifs.audit.logon_events.enable on       
cifs.audit.logsize           20000000 
cifs.audit.nfs.enable        off       
cifs.audit.saveas            /vol/vol1/Share1/log/adtlog.evt

Please help me to find out what was wrong in these above settings.

The another thing I would like to do is that I would like to log the cifs auditing day by day basic and after the month ends, the oldest log will be purged and circular the logging. How should I change the settings for take effect this requirement.

Thank you and well appreciated for help.

Best Regards.


Re: The cifs.audit.enable option is turned off automatically

Hi Lin.

It seems that you donn't have any space left on vol1 to save your events files.

You may change the destination path that will store your event files using

options cifs.audit.saveas            /vol/vol1/Share1/log/adtlog.evt

or add space to the vol1 volume or to /vol/vol1/Share1 qtree.

Hope this may help.

Best regards


Re: The cifs.audit.enable option is turned off automatically

Just a few more information :

audit stop as soon as anything may attempt to the system stability (lack of space in the volume for example).

Your config ask the system to create a new file every day or when the log file size is more than 20000000 (which does not refer directly to the destination event file size), first that happened will générate the log rotate. So you may have more than 1 file per day.

You shoud set cifs.audit.autosave.onsize.enable to off if you only whan to rotate every day.     

Audit remains in memory until they are writtent on disk. If there is to many events, some will be lost, until the log rotate, with a "xxxx events dropped" or something like that message.

Best regards


Re: The cifs.audit.enable option is turned off automatically

Dear Régis,

Yes. Thank you very much and appreciated for you information. That was solved the problem. The CIFS audit was stopped because of the quota limit hit in the qtree which is audit logs reside.

Thank You & Best Regards,