Set the following configuration parameters for your auditing installation:
audit queue size sets the number of records in the audit queue in memory.
suspend audit when device full determines what Adaptive Server does if the current audit table becomes completely full. The full condition occurs only if the threshold procedure attached to the current table segment is not functioning properly.
The default audit queue size is 100 bytes. The amount of memory consumed by the audit queue pool is defined the audit queue size parameter, and includes data buffers and overhead for the memory pool. However, the amount of memory in the pool can vary between releases and chip architectures.
Use sp_configure to set the length of the audit queue. The syntax is:
sp_configure "audit queue size", [value]
value is the number of records that the audit queue can hold. The minimum value is 1, and the maximum is 65,535. For example, to set the audit queue size to 300, execute:
sp_configure "audit queue size", 300
For more information about setting the audit queue size and other configuration parameters, see Chapter 5, “Setting Configuration Parameters.”
If you have two or more audit tables, each on a separate device other than the master device, and have a threshold procedure for each audit table segment, the audit devices should never become full. Only if a threshold procedure is not functioning properly would the “full” condition occur. Use sp_configure to set the suspend audit when device full parameter to determine what happens if the devices do become full. Choose one of these options:
Suspend the auditing process and all user processes that cause an auditable event. Resume normal operation after a system security officer clears the current audit table.
Truncate the next audit table and start using it. This allows normal operation to proceed without intervention from a system security officer.
Use sp_configure to set this configuration parameter. You must have the sso_role active. The syntax is:
sp_configure "suspend audit when device full", [0|1]
0 – truncates the next audit table and starts using it as the current audit table whenever the current audit table becomes full. If you set the parameter to 0, the audit process is never suspended; however, older audit records are lost if they have not been archived.
1 (the default value) – suspends the audit process and all user processes that cause an auditable event. To resume normal operation, the system security officer must log in and set up an empty table as the current audit table. During this period, the system security officer is exempt from normal auditing. If the system security officer’s actions would generate audit records under normal operation, Adaptive Server sends an error message and information about the event to the error log.
If you have a threshold procedure attached to the audit table segments, set suspend audit when device full to 1 (on). If it is set to 0 (off), Adaptive Server may truncate the audit table that is full before your threshold procedure has a chance to archive your audit records.
