Article Number
000029915
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
Platform (DB): Oracle 11.x, 12.x
Issue
The Oracle database audits certain SQL commands and connections and logs this information into audit files (.aud) on the Linux file system. These files accumulate over time and should periodically be cleaned up to regain disk space.
Because of certain audit requirements, attempts to archive or purge these files using normal commands may fail. For example, using a typical tar command would result in a too many arguments error. This RSA Knowledge Base Article explains how to use the tar command to create a gzipped tar file of the audit files without error.
Resolution
To create a gzipped tar file of the .aud files in the audit directory, follow these steps:
- Find the location of the .aud files
The .aud files are located in the directory specified by the
audit_file_dest parameter.
Login to SQL*Plus as SYSDBA
$ sqlplus / as sysdba
SQL> show parameter audit;
The default value is
$ORACLE_HOME/admin/{SID}/adump. (in this example,
$ORACLE_HOME/admin/AVDB/adump.)
NOTE: Audit logs may also be found in
$ORACLE_HOME/product/{version}/db_1/rdbms/audit.- Go to the directory with the audit files.
As the oracle or root user
cd $ORACLE_HOME/admin/AVDB/adump
- Execute this command to create the tar file:
tar zcvf audit_`date +%Y%m%d_%H%M%S`.tar.gz --remove-files --exclude=*.tar.gz . 2> /dev/null
- The command will begin to echo each file that is being archived.
- As it archives each file, it will remove it from the folder.
- The exclude statement in the command ensures that subsequent runs will not include the previous archive file in the current archive
- The 2> omits an expected error at the end of the command completion where it attempts to remove (rmdir) the current non-empty directory.
- A gzipped tar file is created in the format: <date and time>.tar.gz
