Users may observe a Low Disk Space warning in the appliance GUI. The disk usage for the root partition or the /var/log partition reaches a high threshold. Investigation using the du / ls command reveals that the audit.log file located in /var/log/audit is consuming a significant amount of disk space.

Example of file check:
ls -l /var/log/audit/
total 178257920 -rw------- 1 root root 182536110080 YYYY-MM-DDTHH:MM:SS audit.log

VMware Skyline Health Diagnostics
VMware vCenter Server

The /etc/audit/auditd.conf configuration file contains a setting max_log_file_action = IGNORE at the end of the file. This setting overrides any previous rotation settings such as max_log_file_action = ROTATE defined earlier in the file. Consequently, the auditd service ignores the file size limit and continues writing to the single log file indefinitely without rotation.

To resolve this issue, remove the duplicate configuration entry, clear the bloated log file, and restart the appliance.

1. Log in to the appliance via SSH as the root user.

2. Verify the content of the configuration file.
   cat /etc/audit/auditd.conf

3. Open the file with a text editor.
   vi /etc/audit/auditd.conf

4. Remove the line max_log_file_action = IGNORE found at the end of the file. Ensure that max_log_file_action = ROTATE remains enabled in the upper section of the file.

5. Save and close the file.

6. Reduce the file size of the current audit.log to zero bytes to immediately reclaim disk space.
   truncate -s 0 /var/log/audit/audit.log

7. Restart the appliance to apply the configuration changes and restore the auditd process state.
   reboot

8. After the appliance reboots, verify that the logs are being rotated correctly or that the file size remains within the expected limit.
   ls -l /var/log/audit/

Japanese version: max_log_file_action が IGNORE に設定されているため audit.log がローテーションされずディスク使用量が増加する(425242)