Novell OPEN ENTERPRISE SERVER 2 SP2 - STORAGE SERVICES AUDITING CLIENT LOGGER UTILITY REFERENCE 04-29-2010 Reference page 30

Records are stored in the files until the Auditing Engine is instructed to stop, or until the NSS
Auditing Engine is stopped. If the auditing application terminates (perhaps unexpectedly), and the
NSS Auditing Engine is therefore not instructed to stop sending records to the Auditing Client's
directory, the NSS Auditing Engine continues to store auditing records in the Auditing Client's
specified directory.
An Auditing Client that does not have a live user-space application associated with it is called an
Orphaned Auditing Client. The architecture of the NSS Auditing Engine supports this mode of
operation. This mode facilitates the continued collection of auditing data, even if the auditing
application temporarily fails. The NSS Auditing Engine architecture assumes that the auditing
application will eventually be restarted, and will then re-connect to the auditing stream.
The default configuration of the
Auditing Client from a previous failed
SIGTERM signal, an Orphaned Auditing Client is created.
IMPORTANT: If Orphaned Auditing Clients are not stopped, they continue until they fill the Linux
file system partition with auditing data.
You can use one of the following methods to eliminate Orphaned Auditing Clients: Start and stop (or
restart) the NSS Auditing Engine, or stop a specific instance of the Auditing Client. Each method is
described below.
Method 1: Stop and Start (or Restart) the NSS Auditing Engine
To do this, enter the following commands as the
./etc/init.d/novell-vigil stop
./etc/init.d/novell-vigil start
Or you can enter the following command to restart the engine:
./etc/init.d/novell-vigil restart
This method stops all Auditing Clients, including those that were not associated with the
application. This might be undesirable because some auditing records of file-system events will not
be logged to the various auditing applications.
Method 2: Stop a Specific Auditing Client Instance
By default, all active Auditing Clients for the NSS Auditing Engine can be listed by listing the
directory content of the
For example, enter the following command as the
ll /sys/audit/vigil
All active Auditing Clients are represented in the listing as directories named "
the
[-C, --clientName]
the specific entry in the
clientName]
name entries are prefixed with "
followed by a numeric value that represents the date and time that the specific Auditing Client was
started.
30 OES 2 SP2: NSS Auditing Client Logger (VLOG) Utility Reference
application does not attempt to re-connect to an orphaned
vlog
vlog
/sys/audit/vigil
option,
vlog
/sys/audit/vigil/
option is not specified,
vlog
CLIENT_VLOG_
session. If vlog is not properly terminated by the
user at a terminal console prompt:
root
directory.
user at a terminal console prompt:
root
Auditing Clients can be given a name such as "
directory will be "
CLIENT_JOHN
generates a random Auditing Client name. Generated
", followed by the process ID that created the client,
vlog
". Using
CLIENT_*
", and
JOHN
". If the
[-C,--