Skip to main content

3.10.8 Deleting Audit Log Data


3.10.8 Deleting Audit Log Data
Audit log data can be deleted by the setaudit command executed in the following cases: when the audit log capacity threshold is exceeded, when a warning message appears on the console or a warning e-mail arrives, or when the audit log reaches full capacity.
  1. Execute the showaudit command to check audit settings and the audit log amount.
    The following example fully displays the current status of auditing in the system.
    The example shows that the audit log amount is 3.5 MB and that the warning-level capacity threshold of 80% is exceeded.
XSCF> showaudit all
Auditing:             enabled
Audit space used:     3670016 (bytes)
Audit space free:     524288 (bytes)
Records dropped:      0
Policy on full trail: count
User global policy:   enabled
Mail:
Thresholds:           80% 100%
User policy:
Events:
        AEV_AUDIT_START enabled
        AEV_AUDIT_STOP enabled
  1. Execute the setaudit command to delete audit log data.
    The older 2-MB area (secondary) is deleted.
XSCF> setaudit delete
Note - Before deleting audit log data, check whether auditing of the data has been finished by using the viewaudit command.
  1. Execute the showaudit command to check the setaudit command execution results.
    The following example shows that the older area of the audit log is deleted and an available capacity of about 2 MB is created.
XSCF> showaudit all
Auditing:             enabled
Audit space used:     2097152 (bytes)
Audit space free:     2097152 (bytes)
Records dropped:      0
Policy on full trail: count
User global policy:   enabled
Mail:
Thresholds:           80% 100%
User policy:
Events:
        AEV_AUDIT_START enabled
        AEV_AUDIT_STOP enabled
Note - After the deletion of the secondary area, the primary area becomes secondary and a new primary area is created.
The system then recognizes the amount of the new secondary area as 2 MB, regardless of the actual remaining amount of the area.
Therefore, even after audit log data has been deleted, 2 MB always appears to be in use when the audit log amount is referred to by using the showaudit command.
If this deletion is performed twice in succession, all information in the audit log will be deleted.
Even in this case, 2 MB appears to be in use in the audit log amount shown for reference by the showaudit command.