The cifs.audit.enable option is turned off automatically

naing_lin · ‎2009-12-09

Hi All,

The cifs.audit.enable option is turned off automatically when after 30 audit logs were logged. When I checked the ASUP, I have got the following error msg in ASUP.

Tue Dec 1 12:06:36 SGT [filer01: cifs.auditfile.autosaved.onsize:info]: Autosaving the CIFS audit log file (/vol/vol1/Share1/log/adtlog.evt)
Tue Dec 1 12:06:37 SGT [filer01: wafl.quota.qtree.exceeded:notice]: tid 20: tree quota exceeded on volume vol1. Additional warnings will be suppressed for approximately 60 minutes or until a 'quota resize' is performed.
Tue Dec 1 12:06:37 SGT [filer01: cifs.auditfile.logFile.IOError:error]: ALF I/O error 0x1c (No space left on device) on file /vol/vol1/Share1/log/adtlog.evt.tmp: writing.
Tue Dec 1 12:06:37 SGT [filer01: cifs.audit.tmpfile.IOerr:error]: Access Logging Facility (ALF) I/O error 0x1c (No space left on device) on file /etc/log/cifsaudit.alf: I/O error while writing event records to temporary file. Use the command 'cifs audit start' to restart CIFS auditing.
Tue Dec 1 12:06:37 SGT [filer01: cifs.auditfile.enable.off:info]: ALF: CIFS auditing stopped.

The current cifs.audit settings are as follow:

cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension timestamp
cifs.audit.autosave.file.limit 30
cifs.audit.autosave.onsize.enable on
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable on
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable            off
cifs.audit.file_access_events.enable on
cifs.audit.liveview.allowed_users
cifs.audit.liveview.enable   off
cifs.audit.logon_events.enable on
cifs.audit.logsize           20000000
cifs.audit.nfs.enable        off
cifs.audit.nfs.filter.filename
cifs.audit.saveas            /vol/vol1/Share1/log/adtlog.evt

Please help me to find out what was wrong in these above settings.

The another thing I would like to do is that I would like to log the cifs auditing day by day basic and after the month ends, the oldest log will be purged and circular the logging. How should I change the settings for take effect this requirement.

Thank you and well appreciated for help.

Best Regards.

Lin.

regis_graf · ‎2009-12-10

Hi Lin.

It seems that you donn't have any space left on vol1 to save your events files.

You may change the destination path that will store your event files using

options cifs.audit.saveas /vol/vol1/Share1/log/adtlog.evt

or add space to the vol1 volume or to /vol/vol1/Share1 qtree.

Hope this may help.

Best regards

Regis

regis_graf · ‎2009-12-10

Just a few more information :

audit stop as soon as anything may attempt to the system stability (lack of space in the volume for example).

Your config ask the system to create a new file every day or when the log file size is more than 20000000 (which does not refer directly to the destination event file size), first that happened will générate the log rotate. So you may have more than 1 file per day.

You shoud set cifs.audit.autosave.onsize.enable to off if you only whan to rotate every day.

Audit remains in memory until they are writtent on disk. If there is to many events, some will be lost, until the log rotate, with a "xxxx events dropped" or something like that message.

Best regards

Régis

naing_lin · ‎2009-12-16

Dear Régis,

Yes. Thank you very much and appreciated for you information. That was solved the problem. The CIFS audit was stopped because of the quota limit hit in the qtree which is audit logs reside.

Thank You & Best Regards,

Lin.

The cifs.audit.enable option is turned off automatically

Re: The cifs.audit.enable option is turned off automatically

Re: The cifs.audit.enable option is turned off automatically

Re: The cifs.audit.enable option is turned off automatically