Users may observe a Low Disk Space warning in the appliance GUI. The disk usage for the root partition or the /var/log partition reaches a high threshold. Investigation using the du command reveals that the audit.log file located in /var/log/audit is consuming a significant amount of disk space.

Example of file check:

ls -l /var/log/audit/
total 178257920
-rw------- 1 root root 182536110080 YYYY-MM-DDTHH:MM:SS audit.log

VMware Skyline Health Diagnostics

The auditd service may not rotate the log files as expected in some environments, causing a single audit.log file to grow indefinitely until it consumes the available disk space.

To resolve this issue, clear the bloated log file and force a log rotation manually.

1. Log in to the appliance via SSH as the root user.

2. Verify the size of the audit log file.
   ls -l /var/log/audit/

3. Reduce the file size to zero bytes to immediately reclaim disk space.
   truncate -s 0 /var/log/audit/audit.log

4. Verify that the file size is now zero.
   ls -l /var/log/audit/audit.log

5. Identify the Process ID (PID) of the auditd service.
   ps aux | grep auditd

6. Send the SIGUSR1 signal to the auditd process to trigger a log rotation. Replace <PID> with the actual Process ID identified in the previous step.
   kill -SIGUSR1 <PID>

7. Verify that the logs have been rotated. A new audit.log file should be created, and the previous file may be renamed to audit.log.1.
   ls -l /var/log/audit/

Japanese version: /var/log/audit 内の audit.log ファイル肥大化によりディスク使用率が増加する(424239)