If the current audit device and the audit queue become full, the system security officer becomes exempt from auditing. Every auditable event performed by a system security officer after this point sends a warning message to the error log file. The message states the date and time and a warning that an audit has been missed, as well as the login name, event code, and other information that would normally be stored in the extrainfo column of the audit table.
When the current audit table is full, the system security officer can archive and truncate the audit table as described in “Archiving the audit table”. A system administrator can execute shutdown to stop the server and then restart the server to reestablish auditing.
If the audit system terminates abnormally, the system security officer can shut down the server after the current audit table has been archived and truncated. Normally, only the system administrator can execute shutdown.
