Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos Space] /var/log/audit directory occupies most disk-space



Article ID: KB33248 KB Last Updated: 08 Jan 2019Version: 1.0

This article explains how to clear the /var/log/ partition if the audit directory is occupying most of the disk-space.

This applies to Junos Space versions 17.x and 18.x



[root@space-005056b20ad6 ~]# df -kh
Filesystem            Size  Used Avail Use% Mounted on
                       42G  4.5G   35G  12% /
tmpfs                  12G  4.0K   12G   1% /dev/shm
/dev/sda1              93M   33M   56M  37% /boot
                       48G   94M   46G   1% /tmp
                      111G   21G   85G  20% /var
                       39G   37G     0 100% /var/log
[root@space-005056b20ad6 ~]#du -hs /var/log/‚Äčaudit
31G     audit


For Space version 18.2 and higher:

  • Purging Policy for Space logs is not enabled.

For Space version 17.x and 18.1: 

  • If Purging Policy is enabled to clear disk space when a set threshold is crossed, it still does not work for Space Logs. The reasons for that are the regular expressions used to filter out the list of files is not valid in these versions of Space and another parameter "recursivelySearchSubFolders" which is set as 0 by default.

For Space versions 18.2 and higher: Please enable Purging Policy for category - Space Logs. More information , refer to documentation on Viewing the Junos Space Purging Policy and Purging Criteria

For Space versions lower than 18.2, please make the following changes form the Space CLI:

  1. Log into the CLI of the VIP node as "admin", and enter debug mode.

  2. Modify the expression for Purging Policy:

    # mysql -ujboss -p$(grep mysql.jboss /etc/sysconfig/JunosSpace/pwd | awk -F= '{print $2}') build_db -e "update PurgingPolicy_PartitionDirectory set recursivelySearchSubFolders=1 where name='/var/log';"
    # mysql -ujboss -p$(grep mysql.jboss /etc/sysconfig/JunosSpace/pwd | awk -F= '{print $2}') build_db -e "update PurgingPolicy_PartitionDirectory set fileNamePattern='.*\.log(\.|-).*|^messages-.*|^SystemStatusLog-.*' where name='/var/log';"

    # mysql -ujboss -p$(grep mysql.jboss /etc/sysconfig/JunosSpace/pwd | awk -F= '{print $2}') build_db -e "select * from PurgingPolicy_PartitionDirectory where name='/var/log';"
    Warning: Using a password on the command line interface can be insecure.
    | id        | domainId | version | fileNamePattern                                | name     | recursivelySearchSubFolders | category_id |
    | 1076      |     NULL |       0 | .*.log(.|-).*|^messages-.*|^SystemStatusLog-.* | /var/log | 1                           |   1061      |
  3. . For maintenance purposes, follow the steps below (optional):

    To limit disk usage due to the logs generated from the auditd daemon (server process), modify the /etc/audit/auditd.conf file. Deleting files manually is not required, since post restart of service auditd, the contents will be flushed automatically from the /var/log/audit directory as per the settings in the auditd.conf file.

    Find the change that you need to perform under /etc/audit/auditd.conf file below:

    This file controls the configuration of the audit daemon.

    log_file = /var/log/audit/audit.log
    log_format = RAW
    log_group = root
    priority_boost = 4
    flush = INCREMENTAL
    freq = 20
    num_logs = 5
    disp_qos = lossy
    dispatcher = /sbin/audispd
    name_format = NONE
    ##name = mydomain
    max_log_file = 6
    max_log_file_action = KEEP_LOGS  <-- replace KEEP_LOGS with ROTATE
    space_left = 500
    space_left_action = SYSLOG <--replace SYSLOG with ROTATE
    action_mail_acct = root
    admin_space_left = 50
    admin_space_left_action = SYSLOG
    disk_full_action = SUSPEND
    disk_error_action = SUSPEND
    ##tcp_listen_port =
    tcp_listen_queue = 5
    tcp_max_per_addr = 1
    ##tcp_client_ports = 1024-65535
    tcp_client_max_idle = 0
    enable_krb5 = no
    krb5_principal = auditd
    ##krb5_key_file = /etc/audit/audit.key

    You can make the changes by following these commands:

    1. Change directory:  # cd /etc/audit
    2. Edit file: # vi auditd.conf
      Type i to enter insert/editing mode.
      Make changes as stated above .
      Press Esc to enter command mode.
      Type :wq and press ↵ Enter.
    3. Restart audit daemon: # /etc/init.d/auditd restart

Please contact JTAC for further assistance.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search