How To Rollover Accounting Datafile
1. Locate and check the size of the current ACCOUNTNG.DAT file:
$ SET DEFAULT SYS$MANAGER $ DIRECTORY /SIZE /DATE /PROTECTION ACCOUNTNG.DAT Directory SYS$SYSROOT:[SYSMGR] ACCOUNTNG.DAT;47 1062237 21-JUN-2018 10:53:56.21 (RWED,RWED,RE,) ACCOUNTNG.DAT;46 1322520 4-FEB-2018 08:38:01.44 (RWED,RWED,RE,) ACCOUNTNG.DAT;29 3232751 20-SEP-2016 13:25:12.69 (RWED,RWED,RE,) Total of 3 files, 5617508 blocks.
2. Create a new version of the ACCOUNTNG.DAT logfile:
$ SET PROCESS /PRIVILEGE=SYSPRV $ SET ACCOUNTING /NEW_FILE /LOG %SET-I-ACCENAB, accounting enabled for PROCESS,INTERACTIVE,LOGIN_FAILURE,SUBPROCESS,DETACHED,BATCH,NETWORK,PRINT,MESSAGE %SET-I-NEWFILE, new accounting file created $ SET PROCESS /PRIVILEGE=NOSYSPRV
3. Purge old file versions to free up space – keep as many recent versions as you like, but consider whether you'll ever actually need to investigate events in those older files (it hardly ever happens, but again, YMMV).
$ PURGE /KEEP=2 ACCOUNTNG.DAT
Of course, you can PURGE /KEEP=
any number of versions that you like or need – just don't “keep everything,” as most older versions of this file are just obsolete junk-data (past a certain reasonable “shelf-life”).
If external and/or formal audits are a business requirement, consider archiving older versions of ACCOUNTNG.DAT offline (e.g., to tape or nearline SAN storage, etc.) so that date-stamped (historical) versions of the file can be produced for auditing examination and approval. The forensic or auditing value of this file is far less than that of SECURITY.AUDIT$JOURNAL, but it does provide some visibility of system/user process events that could be useful in some security auditing circumstances.
Done.
How Often Should ACCOUNTNG.DAT Be Rolled-Over?
Different systems and business environments have different operational requirements, but here are a few rules of thumb, and your own specific requirement is likely a combination of two or more of these:
- Whenever the Accounting Logfile size gets larger than “a few hundred-MB.”
- Specifically per internal or external/regulatory auditing requirements (but less valuable than the Security Audit Journal file).
- Monthly.
- Quarterly.
- Maybe even annually.
- With every system reboot (not suitable for systems which run for months or years without rebooting).