Exadata Cloud - High Frequency Rotation On /var/log/audit/audit.log (Doc ID 2943248.1)

Last updated on APRIL 29, 2024

Applies to:

Gen 2 Exadata Cloud at Customer - Version N/A to N/A [Release All Releases]
Oracle Cloud Infrastructure - Exadata Cloud Service - Version N/A to N/A [Release N/A]
Information in this document applies to any platform.

Symptoms

High frequency rotation on /var/log/audit/audit.log.

We notice the rotation in /var/log/audit/audit.log is made every 5min:

[root@exacc1db1 audit]# ls -lrt
total 128292
-r--r----- 1 root root 26214403 Feb 17 12:51 audit.log.4
-r--r----- 1 root root 26214517 Feb 17 12:56 audit.log.3
-r--r----- 1 root root 26214428 Feb 17 13:01 audit.log.2
-r--r----- 1 root root 26214527 Feb 17 13:06 audit.log.1
-rw-r----- 1 root root 24596636 Feb 17 13:12 audit.log

Observed a lot of messages with “perm_mod” key.

e.g.

type=SYSCALL msg=audit(1678122707.908:10965622): arch=c000003e syscall=92 success=yes exit=0 a0=7ffdc4123db4 a1=ffffffff a2=3e9 a3=1 items=1 ppid=1 pid=183897 auid=2000 uid=1000 gid=1001 euid=1000 suid=1000 fsuid=1000 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=96 comm="tnslsnr" exe="/u01/app/19.0.0.0/grid/bin/tnslsnr" key="perm_mod" <<<
type=CWD msg=audit(1678122707.908:10965622): cwd="/u01/app/grid/crsdata/exacc1db1/core"
type=PATH msg=audit(1678122707.908:10965622): item=0 name="/u01/app/grid/diag/tnslsnr/exacc1db1/listener_scan3/trace/listener_scan3.log" inode=37847262 dev=fc:0f mode=0100640 ouid=1000 ogid=1001 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1678122707.908:10965622): proctitle=2F7530312F6170702F31392E302E302E302F677269642F62696E2F746E736C736E72004C495354454E45525F5343414E33002D6E6F5F6372735F6E6F74696679002D696E6865726974

and modified files are always like

/u01/app/grid/diag/tnslsnr/exacc1db1/listener/trace/listener.log
/u01/app/grid/diag/tnslsnr/exacc1db1/listener/alert/log.xml
/u01/app/grid/diag/tnslsnr/exacc1db1/listener_scan2/trace/listener_scan2.log
/u01/app/grid/diag/tnslsnr/exacc1db1/listener_scan3/trace/listener_scan3.log
/u01/app/grid/diag/tnslsnr/exacc1db1/asmnet1lsnr_asm/trace/asmnet1lsnr_asm.log

Cause

	To view full details, sign in with your My Oracle Support account.
	Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Exadata Cloud - High Frequency Rotation On /var/log/audit/audit.log (Doc ID 2943248.1)

Applies to:

Symptoms

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!