When the Access Monitor (a.k.a. Audit Log) feature was added to AMT back in release 4.0 (see original blog here) there was concern expressed about the behaviour when the log became full.
To ensure the Auditor had a chance to see all the events flagged as "critical", these events would not be allowed to run when the log was full. This was a security feature to ensure that a sneaky admin (or other user with sufficient privilege) would not be able to perform some improper activity and slip it by the Auditor because the log was full.
However, this also created a situation where systems could be prevented from getting managed properly due to events being blocked by a full audit log. If something happened to the Auditor (or group of people with Auditor permissions) that prevented them from cleaning the log, it could easily become full and block critical events.
So starting with AMT 5.1, this feature has been updated to provide choice to users on how to configure their implementation of Access Monitor to allow the log to roll over when full. The following policies can now be set by the Auditor:
- No Roll Over: When full, critical events will fail and others won't be logged
- Roll Over: When full, overwrite the oldest
- Restricted Roll Over: Only overwrite if oldest are past given date
To find out more, download the latest version of the SDK and look at the Access Monitor/Audit Log documentation and sample code.