On Tue, 15 Jan 2002, Brian Carpio wrote: > > All, > > I have a situation where I need to monitor all user activity on a server > (just certain users) like file creation, the killing of processes etc, > because I believe there is someone doing things they shouldn't be but I > can't find out who is doing what..
Killing of processes? Are you monitoring people who have root access and are malicious? (!). Good luck! Sounds like a personnel management problem, not a systems management problem. How do you know they're not going to tamper with your audit trail? > > I tried to impliment BSM on a E1000 and an E450 but I seem to have the > same problem with both servers .... when the log dir gets full the system > locks the file system and I have to reboot the server.. or the entire > system just crashes... <snip> Why is it crashing your system? Are you auditing into / or /var ? If so, put the audit files on their own file system or, better, their own disk. If you haven't already, Take a look at the "Administering Auditing" section of the docs for suggestions on managing the flood of data http://docs.sun.com:80/ab2/coll.47.11/SHIELD/@Ab2PageView/522?DwebQuery=bsm&oqt=bsm&Ab2Lang=C&Ab2Enc=iso-8859-1 Also, the Sun Blueprint on auditing http://www.sun.com/blueprints/0201/audit_config.pdf
