Audit logs are output to the destination specified by the log_audit_path in the log service definition, using a file rotation system. The files are output to the following destinations by default:

• In Windows
  %DCDIR%\auditlog\audit.log
  
• In UNIX
  $DCDIR/auditlog/audit.log
  

Audit log information is output to the audit log file until the file reaches the size specified in the log_audit_size operand of the log service definition. The number of generations of audit log files that are created is determined by the log_audit_count operand in the log service definition.

The following figure shows the flow of audit log acquisition under a file rotation system. In this example, the value of the log_audit_count operand is 4.

Figure 3-5 Audit log acquisition by file rotation

1. When the size of the current file (audit.log) with the accumulated audit log information reaches the value specified for the log_audit_size operand, the current file is renamed audit001.log.
2. When the new current file again reaches the size specified for the log_audit_size operand, the file audit001.log, which is a backup of the old current file, is renamed audit002.log. The new current file is then renamed audit001.log.
3. When yet another current file reaches the size specified for the log_audit_size operand, the backup file audit002.log is renamed audit003.log, and audit001.log is renamed audit002.log. The current file is then renamed audit001.log.

When the number of files exceeds the value specified for the log_audit_count operand, the oldest backup file is deleted.

When an error occurs that causes audit log output to fail, a message reporting this fact is output to standard error output and syslog.

If a process executed by a user who is not root or an OpenTP1 system administrator results in the creation of a new audit log file, the user who executed the process becomes the owner of the new file.