howto:rollover_accounting_datafile

How To Rollover Accounting Datafile

1. Locate and check the size of the current ACCOUNTNG.DAT file:

$ SET DEFAULT SYS$MANAGER
$ DIRECTORY /SIZE /DATE /PROTECTION ACCOUNTNG.DAT

Directory SYS$SYSROOT:[SYSMGR]

ACCOUNTNG.DAT;47     1062237  21-JUN-2018 10:53:56.21  (RWED,RWED,RE,)
ACCOUNTNG.DAT;46     1322520   4-FEB-2018 08:38:01.44  (RWED,RWED,RE,)
ACCOUNTNG.DAT;29     3232751  20-SEP-2016 13:25:12.69  (RWED,RWED,RE,)

Total of 3 files, 5617508 blocks.

2. Create a new version of the ACCOUNTNG.DAT logfile:

$ SET PROCESS /PRIVILEGE=SYSPRV
$ SET ACCOUNTING /NEW_FILE /LOG
%SET-I-ACCENAB, accounting enabled for PROCESS,INTERACTIVE,LOGIN_FAILURE,SUBPROCESS,DETACHED,BATCH,NETWORK,PRINT,MESSAGE
%SET-I-NEWFILE, new accounting file created
$ SET PROCESS /PRIVILEGE=NOSYSPRV

3. Purge old file versions to free up space – keep as many recent versions as you like, but consider whether you'll ever actually need to investigate events in those older files (it hardly ever happens, but again, YMMV).

$ PURGE /KEEP=2 ACCOUNTNG.DAT

Of course, you can PURGE /KEEP= any number of versions that you like or need – just don't “keep everything,” as most older versions of this file are just obsolete junk-data (past a certain reasonable “shelf-life”).

If external and/or formal audits are a business requirement, consider archiving older versions of ACCOUNTNG.DAT offline (e.g., to tape or nearline SAN storage, etc.) so that date-stamped (historical) versions of the file can be produced for auditing examination and approval. The forensic or auditing value of this file is far less than that of SECURITY.AUDIT$JOURNAL, but it does provide some visibility of system/user process events that could be useful in some security auditing circumstances.

Done.

How Often Should ACCOUNTNG.DAT Be Rolled-Over?

Different systems and business environments have different operational requirements, but here are a few rules of thumb, and your own specific requirement is likely a combination of two or more of these:

  • Whenever the Accounting Logfile size gets larger than “a few hundred-MB.”
  • Specifically per internal or external/regulatory auditing requirements (but less valuable than the Security Audit Journal file).
  • Monthly.
  • Quarterly.
  • Maybe even annually.
  • With every system reboot (not suitable for systems which run for months or years without rebooting).
howto/rollover_accounting_datafile.txt · Last modified: 2018/12/03 20:08 by lricker