The cifs.audit.enable option is turned off automatically when after 30 audit logs were logged. When I checked the ASUP, I have got the following error msg in ASUP.
Tue Dec 1 12:06:36 SGT [filer01: cifs.auditfile.autosaved.onsize:info]: Autosaving the CIFS audit log file (/vol/vol1/Share1/log/adtlog.evt) Tue Dec 1 12:06:37 SGT [filer01: wafl.quota.qtree.exceeded:notice]: tid 20: tree quota exceeded on volume vol1. Additional warnings will be suppressed for approximately 60 minutes or until a 'quota resize' is performed. Tue Dec 1 12:06:37 SGT [filer01: cifs.auditfile.logFile.IOError:error]: ALF I/O error 0x1c (No space left on device) on file /vol/vol1/Share1/log/adtlog.evt.tmp: writing. Tue Dec 1 12:06:37 SGT [filer01: cifs.audit.tmpfile.IOerr:error]: Access Logging Facility (ALF) I/O error 0x1c (No space left on device) on file /etc/log/cifsaudit.alf: I/O error while writing event records to temporary file. Use the command 'cifs audit start' to restart CIFS auditing. Tue Dec 1 12:06:37 SGT [filer01: cifs.auditfile.enable.off:info]: ALF: CIFS auditing stopped.
The current cifs.audit settings are as follow:
cifs.audit.account_mgmt_events.enable off cifs.audit.autosave.file.extension timestamp cifs.audit.autosave.file.limit 30 cifs.audit.autosave.onsize.enable on cifs.audit.autosave.onsize.threshold 75% cifs.audit.autosave.ontime.enable on cifs.audit.autosave.ontime.interval 1d cifs.audit.enable off cifs.audit.file_access_events.enable on cifs.audit.liveview.allowed_users cifs.audit.liveview.enable off cifs.audit.logon_events.enable on cifs.audit.logsize 20000000 cifs.audit.nfs.enable off cifs.audit.nfs.filter.filename cifs.audit.saveas /vol/vol1/Share1/log/adtlog.evt
Please help me to find out what was wrong in these above settings.
The another thing I would like to do is that I would like to log the cifs auditing day by day basic and after the month ends, the oldest log will be purged and circular the logging. How should I change the settings for take effect this requirement.
audit stop as soon as anything may attempt to the system stability (lack of space in the volume for example).
Your config ask the system to create a new file every day or when the log file size is more than 20000000 (which does not refer directly to the destination event file size), first that happened will générate the log rotate. So you may have more than 1 file per day.
You shoud set cifs.audit.autosave.onsize.enable to off if you only whan to rotate every day.
Audit remains in memory until they are writtent on disk. If there is to many events, some will be lost, until the log rotate, with a "xxxx events dropped" or something like that message.