Audit Log Volume Full Due to Accumulation of Old Audit Logs
Applies to
- ONTAP 9
- CIFS Auditing
Issue
The audit log volume on the storage system is full due to the accumulation of old audit log files.
- EMS log reports:
wafl_vol_full type="volume" owner="" vol="vol_auditlog" app="" volident="@vserver:b499fcd7-7ec3-11ea-8370-d039ea184d84" requested="12.0KB" available="8.00KB"
adt_dest_directory_full destination="/clus/SVM1/vol_auditlog/" vserver="SVM1"- The following command output shows the presence of old audit log files:
Cluster::> vserver security file-directory show -vserver SVM1 -path /vol_auditlog/* -fields path
vserver path
------- ----------------------
SVM1 /vol_auditlog/auditlog
SVM1 /vol_auditlog/.copy_offload
SVM1 /vol_auditlog/.copy_offload/.tokens
SVM1 /vol_auditlog/audit_SVM1_D2025-07-23-T05-02-55_0000000000.evtx
SVM1 /vol_auditlog/audit_SVM1_D2025-07-23-T06-28-50_0000000000.evtx
SVM1 /vol_auditlog/_audit_SVM1_D2025-06-20-T00-39-56_000000000020250620093956.evtx
SVM1 /vol_auditlog/_audit_SVM1_D2025-06-20-T01-13-46_000000000020250620101347.evtx
SVM1 /vol_auditlog/_audit_SVM1_D2025-06-20-T01-45-29_000000000020250620104529.evtx
....
SVM1 /vol_auditlog/_audit_SVM1_D2025-07-22-T09-18-19_000000000020250722181819.evtx