Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

audit issue

6 posts in General Discussion Last posting was on 2011-02-15 15:42:37.0Z
vtpcnk Posted on 2011-02-14 12:17:33.0Z
Sender: 7c44.4d591bf5.1804289383@sybase.com
From: vtpcnk
Newsgroups: sybase.public.ase.general
Subject: audit issue
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4d591d5d.7c8b.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 14 Feb 2011 04:17:33 -0800
X-Trace: forums-1-dub 1297685853 10.22.241.41 (14 Feb 2011 04:17:33 -0800)
X-Original-Trace: 14 Feb 2011 04:17:33 -0800, 10.22.241.41
Lines: 15
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29963
Article PK: 79191

we have a sybsecurity of size 400mb data and 100 mb log.

we have a database to archive this audit information. this
archive database is 7gb data (of which 2gb is currently
free) and 3gb log. so when the data in sybsecurity hits a
certain percentage the threshold moves the data to the
archive db.

sometime last week on both dbs the log went full and the
system hung.

but i can't understand how a sybsecurity db with 400mb data
can fill up the archive db log which is 3gb.

appreciate any insights.


vtpcnk Posted on 2011-02-14 12:29:09.0Z
Sender: 7c44.4d591bf5.1804289383@sybase.com
From: vtpcnk
Newsgroups: sybase.public.ase.general
Subject: Re: audit issue
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4d592015.7cf6.1681692777@sybase.com>
References: <4d591d5d.7c8b.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 14 Feb 2011 04:29:09 -0800
X-Trace: forums-1-dub 1297686549 10.22.241.41 (14 Feb 2011 04:29:09 -0800)
X-Original-Trace: 14 Feb 2011 04:29:09 -0800, 10.22.241.41
Lines: 4
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29964
Article PK: 79192

btw the sybsecurity has trunc log on chkpt turned on. the
archive db has both trunc log on chkpt and abort tran on log
full turned on. but yet log full on both dbs caused the
system to hang.


vtpcnk Posted on 2011-02-14 12:59:43.0Z
Sender: 7c44.4d591bf5.1804289383@sybase.com
From: vtpcnk
Newsgroups: sybase.public.ase.general
Subject: Re: audit issue
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4d59273f.7e6a.1681692777@sybase.com>
References: <4d592015.7cf6.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 14 Feb 2011 04:59:43 -0800
X-Trace: forums-1-dub 1297688383 10.22.241.41 (14 Feb 2011 04:59:43 -0800)
X-Original-Trace: 14 Feb 2011 04:59:43 -0800, 10.22.241.41
Lines: 24
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29965
Article PK: 79194

we got these errors at that time :

05:00000:00008:2011/02/11 05:51:19.49 server Can't allocate
space for object 'syslogs' in database 'auditarchive_db'
because 'logsegment' segment is full/has no free extents. If
you ran out of space in syslogs, dump the transaction log.
Otherwise, use ALTER DATABASE to increase the size of the
segment.
00:00000:00011:2011/02/11 05:51:20.83 server AUDIT PROCESS
EXCEPTION: Can't allocate space for either syslogs or the
current sysaudit table in database 'sybsecurity' because the
corresponding segment is full/has no free extents. Please
refer to Security Administration Guide for details.
00:00000:00011:2011/02/11 05:51:20.83 server Error: 4720,
Severity: 16, State: 1
00:00000:00011:2011/02/11 05:51:20.83 server Cannot
truncate table 'sysaudits_03' because there are one or more
isolation lev
el 0 scans, or REORG command, active on the table.
00:00000:00011:2011/02/11 05:51:20.83 server Error: 10812,
Severity: 16, State: 2
00:00000:00011:2011/02/11 05:51:20.83 server Unable to
truncate the audit table 'sysaudits_03'. Configuration of
current audit table failed.


jobless Posted on 2011-02-14 21:50:19.0Z
Sender: f7a.4d5983bd.1804289383@sybase.com
From: jobless
Newsgroups: sybase.public.ase.general
Subject: Re: audit issue
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4d59a39a.145e.1681692777@sybase.com>
References: <4d592015.7cf6.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 14 Feb 2011 13:50:19 -0800
X-Trace: forums-1-dub 1297720219 10.22.241.41 (14 Feb 2011 13:50:19 -0800)
X-Original-Trace: 14 Feb 2011 13:50:19 -0800, 10.22.241.41
Lines: 9
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29966
Article PK: 79195


> btw the sybsecurity has trunc log on chkpt turned on. the
> archive db has both trunc log on chkpt and abort tran on
> log full turned on. but yet log full on both dbs caused
> the system to hang.

one of the things to check would be, how you cleanup the
auditarchive_db data? It could be the auditarchive_db
cleanup job and the sybsecurity threshold procedure
triggered at the same time using up logsegment space;


vtpcnk Posted on 2011-02-15 10:08:01.0Z
Sender: 2c59.4d5a4fc1.1804289383@sybase.com
From: vtpcnk
Newsgroups: sybase.public.ase.general
Subject: Re: audit issue
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4d5a5081.2c7a.1681692777@sybase.com>
References: <4d59a39a.145e.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 15 Feb 2011 02:08:01 -0800
X-Trace: forums-1-dub 1297764481 10.22.241.41 (15 Feb 2011 02:08:01 -0800)
X-Original-Trace: 15 Feb 2011 02:08:01 -0800, 10.22.241.41
Lines: 18
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29967
Article PK: 79196

that was a good question.

everytime the data is archived from sybsecurity, a stored
procedure is executed to purge some data from the archive db
to make space for the new data (i suppose). likewise the
same purge procedure is executed by the thresholds within
the archive db as well. so is it possible that both kicked
off at the same time and filled the log of the archive db?

> > btw the sybsecurity has trunc log on chkpt turned on.
> > the archive db has both trunc log on chkpt and abort
> > tran on log full turned on. but yet log full on both dbs
> > caused the system to hang.
>
> one of the things to check would be, how you cleanup the
> auditarchive_db data? It could be the auditarchive_db
> cleanup job and the sybsecurity threshold procedure
> triggered at the same time using up logsegment space;


vtpcnk Posted on 2011-02-15 15:42:37.0Z
Sender: 2c59.4d5a4fc1.1804289383@sybase.com
From: vtpcnk
Newsgroups: sybase.public.ase.general
Subject: Re: audit issue
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4d5a9eed.3a42.1681692777@sybase.com>
References: <4d591d5d.7c8b.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 15 Feb 2011 07:42:37 -0800
X-Trace: forums-1-dub 1297784557 10.22.241.41 (15 Feb 2011 07:42:37 -0800)
X-Original-Trace: 15 Feb 2011 07:42:37 -0800, 10.22.241.41
Lines: 12
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:29968
Article PK: 79197

apparently there was a whole series of commands which filled
up 3 audit segments of 100 mb each.

what kind of command(s) could fill up 300 mb worth of space?

i checked for replication maintenance user - but that's not
audited.

are login failures logged? wondering if some program
repeatedly tried to login or something ...

appreciate any insights.