I am not a Linux expert, but this sounds like SMF on a z/OS system except if SMF's pre-allocated datasets are alll full and unusable, you start losing data - messages are issued to inform you of the fact that you're losing data, but the process doesn't hang.
As with SMF, it sounds as though the space allocated for the offload files needs to be able to handle a certain time period (a day is what we use), and then those files need to be processed and deleted. Our SMF tools take a day's offload files, put them through whatever programs we use to summarize the information, combine them onto a tape which is kept for a while, and delete them. We also manage the size of the files by setting parameters for what is recorded. All of these techniques sound like they'd be useful and applicable to Linux auditing. Tim Hare Senior Systems Programmer Florida Department of Transportation (850) 414-4209 "Meanor, Tim" <[EMAIL PROTECTED]> Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> 03/21/2006 06:46 PM Please respond to Linux on 390 Port <LINUX-390@VM.MARIST.EDU> To LINUX-390@VM.MARIST.EDU cc Subject Re: Question They were talking about LAuS (Linux Audit Subsystem). I'm not sure exactly what they were talking about, but by default auditd keeps 4 (preallocated) 20M binary files in which it stores it's audit info. When one of the binary files fills up, it writes the data to a unique file (save.1, save.2, etc, etc) and then switches to the next binary file. Over time, this will fill up /var/log/audit.d with these save files. If there is not enough available filesystem space to write the save file, auditd will suspend until there is enough room. When auditd is suspended, anything trying to write an audit event (sshd, for example) goes to sleep until auditd starts accepting events. The guest will appear to be hung, but it is actually still functioning (albeit with limited usefulness). This is fixed by cleaning up /var then kill -HUP the pid of auditd. -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Phil Smith III Sent: Tuesday, March 21, 2006 5:46 PM To: LINUX-390@VM.MARIST.EDU Subject: Question I got a written comment on the "Sick Penguin" pitch at SHARE that I can't seem to confirm or refute, despite having spent a bunch o' time Googling for it. I figure someone in this group will know! The comment was: "FYI, if Linux auditing is enabled, by default file systems >= 80% full can cause the guest to hang." (Phil) Really? Why? How? What do they mean by "Linux auditing"? Maybe they meant "journaling"? Can anyone shed any light? Thanks, ...phsiii ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
