Previous Topic Next topic Print topic


Configuring the AUDITFILE Emitter

The AUDITFILE emitter writes audit records to a collection of files. These files hold the records in a binary format, and can be processed using the audit file APIs or the Audit Manager Administration Utility.

When the current file in the collection has reached its maximum size, the emitter writes to the next file in the collection. When all files in the collection have reached their maximum file, the emitter attempts to re-use the first file in the collection. This fails if the contents of the audit file have not yet been dumped.

When the last available file in the collection becomes half full, the emitter writes a warning event to the Windows event log, or to the Unix syslog. When the last available file in the collection becomes full, the emitter writes an error event to the Windows event log, or to the Unix syslog.

When no files are available, the emitter attempts to cache audit events in memory until a file becomes available. When there is no memory available, the emitter removes events from the cache to allow it to cache the most recent events. When an audit file becomes available, the emitter generates an audit event that details how many audit events were lost, and writes this as the first event in the file.

An audit file cannot be dumped until it has reached its maximum size, or has been set by an administrator as available for dumping. Marking an active files as available for dumping causes the file to be closed immediately, and the next file in the collection becomes the active file.

Previous Topic Next topic Print topic