The AUDITFILE emitter is used by the audit consolidation process to write audit records to a collection of audit files. The maximum size of each audit file and the number of audit files in a collection is configurable. However, there is always a minimum of two files defined for each collection.
The emitter only writes to one file in a collection at any given time. Once that file has reached its maximum size, it is closed and the next file in the collection opened and written to. Once all files in the collection have been written, the emitter will attempt to re-use the first file in the collection. This attempt will be denied if the contents of the audit file have not been dumped (see Dumping Audit Files).
When the last available file in the collection becomes half full, the emitter writes a warning event to the Windows event log, or to the Unix syslog.
When the last available file in the collection becomes full, the emitter writes an error event to the Windows event log, or to the Unix syslog. The emitter then attempts to cache audit events in memory until a file becomes available. If memory becomes exhausted, the emitter will start removing events from the cache until enough memory is released to cache the most recent event. An audit event will be written to file once a file becomes available indicating how many audit events were lost.