howto:rollover_security_audit_journal

How To Rollover Security Audit Journal File

1. Locate and check the size of the current SECURITY.AUDIT$JOURNAL file:

$ SET DEFAULT SYS$MANAGER
$ DIRECTORY /SIZE /DATE /PROTECTION SECURITY.AUDIT$JOURNAL

Directory SYS$COMMON:[SYSMGR]

SECURITY.AUDIT$JOURNAL;18
                      271030   1-AUG-2018 10:03:56.14  (RWED,RWED,RE,)
SECURITY.AUDIT$JOURNAL;17
                      636538   4-FEB-2018 08:37:07.26  (RWED,RWED,RE,)

Total of 2 files, 907568 blocks.

2. Create a new version of the SECURITY.AUDIT$JOURNAL logfile:

NOTE: This section has two pieces, if the first doesn't work, try the second:

$ ! Requires SECURITY, and possibly SYSPRV, privilege:
$ SET PROCESS /PRIVILEGE=(SYSPRV,SECURITY)
$ SET AUDIT /JOURNAL=SECURITY /THRESHOLD=WARN=200  ! resets space-monitoring
$ SET AUDIT /SERVER=NEW_LOG
$ SET PROCESS /PRIVILEGE=(NOSYSPRV,NOSECURITY)

$ DIR SYS$MANAGER:SECURITY.AUDIT$JOURNAL/SIZE=ALL

Directory SYS$COMMON:[SYSMGR]

SECURITY.AUDIT$JOURNAL;2
                           2/1024096
SECURITY.AUDIT$JOURNAL;1
                     1023847/1023856

Total of 2 files, 1023849/2047952 blocks.

Notice the second file is the same size as the original. Instead use:

$ SHOW RMS
$ SET RMS /EXTEND=10000 /SYSTEM
$ SET AUDIT /SERVER=NEW
$ SET RMS /EXTEND=original-value-from-above /SYSTEM
$ DIR SYS$MANAGER:SECURITY.AUDIT$JOURNAL/SIZE=ALL

Directory SYS$COMMON:[SYSMGR]

SECURITY.AUDIT$JOURNAL;3
                           0/10000
SECURITY.AUDIT$JOURNAL;2
                           2/16
SECURITY.AUDIT$JOURNAL;1
                     1023847/1023856

Total of 3 files, 1023849/1033872 blocks.

Notice that the second version closed small and third version started at 10,000 blocks.

3. Purge old file versions to free up space – keep as many recent versions as you like, but consider whether you'll ever actually need to investigate events in those older files (it hardly ever happens, but again, YMMV).

$ PURGE /KEEP=2 SECURITY.AUDIT$JOURNAL
$ SET PROCESS /PRIVILEGE=(NOSYSPRV,NOSECURITY)

Of course, you can PURGE /KEEP= any number of versions that you like or need – just don't “keep everything,” as most older versions of this file are just obsolete junk-data (past a certain reasonable “shelf-life”).

If external and/or formal audits are a business requirement, consider archiving older versions of SECURITY.AUDIT$JOURNAL offline (e.g., to tape or nearline SAN storage, etc.) so that date-stamped (historical) versions of the file can be produced for auditing examination and approval.

Done.

How Often Should SECURITY.AUDIT$JOURNAL Be Rolled-Over?

Different systems and business environments have different operational requirements, but here are a few rules of thumb, and your own specific requirement is likely a combination of two or more of these:

Whenever the Security Audit Logfile size gets larger than “a few hundred-MB.”
Specifically per internal or external/regulatory auditing requirements.
Monthly.
Quarterly.
Maybe even annually.
With every system reboot (not suitable for systems which run for months or years without rebooting).