Set the following configuration parameters for your auditing installation:
audit queue size sets the number of records in the audit queue in memory.
suspend audit when device full determines what Adaptive Server does if the current audit table becomes completely full. The full condition occurs only if the threshold procedure attached to the current table segment is not functioning properly.
The memory requirement for a single audit record is 424 bytes. The default size for the audit queue is 100 records, which requires approximately 42K.
To set the size of the audit queue, use sp_configure. The syntax is:
sp_configure "audit queue size", [value]
value is the number of records that the audit queue can hold. The minimum value is 1, and the maximum is 65,535. For example, to set the audit queue size to 300, execute:
sp_configure "audit queue size", 300
For more information about setting the audit queue size and other configuration parameters, see Chapter 5, “Setting Configuration Parameters.”
If you have two or more audit tables, each on a separate device other than the master device, and have a threshold procedure for each audit table segment, the audit devices should never become full. Only if a threshold procedure is not functioning properly would the “full” condition occur. You can use sp_configure to set the suspend audit when device full parameter to determine what happens if the devices do become full. Choose one of these options:
Suspend the auditing process and all user processes that cause an auditable event. Resume normal operation after a System Security Officer clears the current audit table.
Truncate the next audit table and start using it. This allows normal operation to proceed without intervention from a System Security Officer.
To set this configuration parameter, use sp_configure. You must have the sso_role active. The syntax is:
sp_configure "suspend audit when device full", [0|1]
0 – truncates the next audit table and starts using it as the current audit table whenever the current audit table becomes full. If you set the parameter to 0, the audit process is never suspended; however, older audit records are lost if they have not been archived.
1 (the default value) – suspends the audit process and all user processes that cause an auditable event. To resume normal operation, the System Security Officer must log in and set up an empty table as the current audit table. During this period, the System Security Officer is exempt from normal auditing. If the System Security Officer’s actions would generate audit records under normal operation, Adaptive Server sends an error message and information about the event to the error log.
If you have a threshold procedure attached to the audit table segments, set suspend audit when device full to 1 (on). If it is set to 0 (off), Adaptive Server may truncate the audit table that is full before your threshold procedure has a chance to archive your audit records.
Copyright © 2005. Sybase Inc. All rights reserved. |