<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1523" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=859572412-14112005><FONT face=Arial color=#0000ff size=2>Look
at the notify line in /var/audit/audit.conf (the -N switch will execute a
command when the threshold is reached).</FONT></SPAN></DIV>
<DIV><SPAN class=859572412-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=859572412-14112005><FONT face=Arial color=#0000ff size=2>You
could try something like this (don't leave out any tick marks or quote
marks):</FONT></SPAN></DIV>
<DIV><SPAN class=859572412-14112005><FONT face=Arial color=#0000ff
size=2><STRONG>notify ="/usr/sbin/audbin
-S /var/log/audit.d/save.%u -C -T 70% -N 'mail -s "audit filling up var alert"
</STRONG><A
href="mailto:user@yada.com'"><STRONG>user@yada.com'</STRONG></A><STRONG>";</STRONG></FONT></SPAN></DIV>
<DIV><SPAN class=859572412-14112005><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=859572412-14112005><FONT face=Arial color=#0000ff size=2>If you
don't really need all that audit info (it can range from months to years of
data) you can change the notify line to the following and it will just rotate
through the four 20M log files (default) using a first in - first out process.
This is usually enough audit data for most people, but make sure of your own
audit log requirements first:</FONT></SPAN></DIV>
<DIV><SPAN class=859572412-14112005><FONT face=Arial color=#0000ff
size=2><STRONG>notify =
"/usr/sbin/audbin -C";<BR></STRONG></FONT></SPAN></DIV>
<BLOCKQUOTE>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----<BR><B>From:</B> rhn-users-bounces@redhat.com
[mailto:rhn-users-bounces@redhat.com]<B>On Behalf Of
</B>caranas@lexmark.com<BR><B>Sent:</B> Sunday, November 13, 2005 8:22
PM<BR><B>To:</B> Red Hat Network Users List<BR><B>Cc:</B>
rhn-users@redhat.com; rhn-users-bounces@redhat.com<BR><B>Subject:</B> RE:
[rhn-users] RHEL3 box hanging at login<BR><BR></FONT></DIV><BR><FONT
face=sans-serif size=2>Hi Tom,</FONT> <BR><BR><FONT face=sans-serif size=2>I'm
new to Linux. Maybe you could help me. How will I make such that
if my /var directory is 70% full it would send me an email.</FONT>
<BR><BR><FONT face=sans-serif size=2>Hoping for your favorable
response.</FONT> <BR><BR><FONT face=sans-serif size=2>Thanks and more
power.<BR><BR><BR>Clark James E. Aranas<BR>System Administrator<BR>Printhead
Technology<BR>Phone Number : 63.32.2348873<BR>Mobile Numbers :
63.92.143.143.87<BR>TSC Hotline
: 63.92.871.284.28<BR><BR>-=Lexmark Confidential=-</FONT>
<BR><BR><BR>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD>
<TD><FONT face=sans-serif size=1><B>Tom Hodder
<tom@ecnow.co.uk></B></FONT> <BR><FONT face=sans-serif size=1>Sent
by: rhn-users-bounces@redhat.com</FONT>
<P><FONT face=sans-serif size=1>11/14/2005 00:09</FONT> <BR><FONT
face=sans-serif size=1>Please respond to Red Hat Network Users
List</FONT> <BR></P>
<TD><FONT face=Arial size=1> </FONT><BR><FONT
face=sans-serif size=1> To:
rhn-users@redhat.com</FONT> <BR><FONT face=sans-serif
size=1> cc:
</FONT> <BR><FONT face=sans-serif size=1>
Subject: RE: [rhn-users] RHEL3 box
hanging at login</FONT></TR></TBODY></TABLE><BR><BR><BR><FONT
face="Courier New" size=2>Quoting "Lamon, Frank III"
<Frank_LaMon@csx.com>:<BR><BR>> Check out the size of your /var
directory - it's probably over 80%. <BR>> Depending on your update level
the default setting for auditd is to <BR>> suspend auditable actions
(logons, etc) once the filesystem reaches a <BR>> certain threshold (80%
is default I think).<BR><BR>That was true as well, 89% full in fact. I
have setup a notify at 90%, <BR>so I had<BR>better take that down to 70% to be
safe.<BR><BR>Thanks,<BR><BR>Tom<BR><BR><BR><BR><BR><BR>> Quoting Thomas
Holzgruber <thomas.holzgruber@byting.at>:<BR>><BR>>>
Hi,<BR>>><BR>>> i had the same problem, i turned off the audit
daemon to start at<BR>>> boot time to solve this
problem.<BR>>><BR>><BR>> Worked like a charm,
Thanks!<BR>><BR>> Now to find out whats wrong with the audit
daemon...<BR>><BR>> Tom<BR>><BR>><BR>><BR>>>
//thomas<BR>>><BR>>> Tom Hodder wrote:<BR>>><BR>>>>
Hi,<BR>>>><BR>>>> In a blade farm of a hundred or so RHEL3
boxes, 2 of these machines started<BR>>>> hanging after the password
was entered at the login prompt, both <BR>>>> via ssh
and<BR>>>> locally, this was after a few days of running
time.<BR>> _____________________________<BR>>> rhn-users mailing
list<BR>>> rhn-users@redhat.com<BR>>>
https://www.redhat.com/mailman/listinfo/rhn-users<BR>>><BR>><BR>><BR>><BR>><BR>><BR>><BR>><BR>><BR>>
_______________________________________________<BR>> rhn-users mailing
list<BR>> rhn-users@redhat.com<BR>>
https://www.redhat.com/mailman/listinfo/rhn-users<BR>><BR>>
-----------------------------------------<BR>> This email transmission and
any accompanying attachments may contain CSX<BR>> privileged and
confidential information intended only for the use of the<BR>> intended
addressee. Any dissemination, distribution, copying or action<BR>>
taken in reliance on the contents of this email by anyone other than
the<BR>> intended recipient is strictly prohibited. If you have
received this email<BR>> in error please immediately delete it and
notify sender at the above CSX<BR>> email address. Sender and
CSX accept no liability for any damage caused<BR>> directly or indirectly
by receipt of this email.<BR>><BR>><BR>>
_______________________________________________<BR>> rhn-users mailing
list<BR>> rhn-users@redhat.com<BR>>
https://www.redhat.com/mailman/listinfo/rhn-users<BR>><BR><BR><BR><BR><BR><BR><BR><BR><BR>_______________________________________________<BR>rhn-users
mailing list<BR>rhn-users@redhat.com</FONT> <BR><FONT face="Courier New"
size=2>https://www.redhat.com/mailman/listinfo/rhn-users<BR></FONT><BR><BR></BLOCKQUOTE></BODY></HTML>