User profile for user: Stan F.
Stan F. Author
User level: Level 1
15 points

/private/var/audit/20201003230440.crash_recovery

When I do a backup, the log window shows this kind of file: /private/var/audit/20201003230440.crash_recovery. My backup program ignores these files. Here’s the problem.


It appears these files started accumulating on Oct. 3, 2020 and have continued to the most recent backup on June 6, 2023. There are in excess of 500 of these files.


I have tried to find out some information about them with little luck. So I would like to know:


Why are they accumulating and can I stop it?


Can I delete them?

iMac 27″, macOS 13.4

Posted on Jul 8, 2023 2:48 PM

Reply
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,185 points

Posted on Jul 8, 2023 3:07 PM

Boot into Safe Mode, then reboot normally, and check again.


Start up your Mac in safe mode - Apple Support


Safe Mode cleans up and rebuilds various caches. (It may not clear this case.)


If the Safe Mode boot fails to resolve this, then launch Terminal.app and issue the command:

audit -e


It appears that auditing is enabled, which is common. And that the audit data is not getting cleaned up. Which is not common. (I have the expected week or so of those audit files locally, which means log rotation is working here. But is apparently not working there.) (dialabrain: sudo is your friend. Or can be your enemy. Depending on the command.)


If the deletion via the audit command fails, yes, you can sudo rm and remove those files. With care.


For details on auditing and the above command, use the command-line command:

man audit


And because your data is important, you will want to have complete and current backups before any of this. The above-listed commands are all benign, but some command mistakes can be bad (including those errors involving sudo rm), and other errors and issues are also possible. And there’s already something a little weird happening here.

View in context

Similar questions

8 replies
Question marked as Top-ranking reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
146,185 points

Jul 8, 2023 3:07 PM in response to Stan F.

Boot into Safe Mode, then reboot normally, and check again.


Start up your Mac in safe mode - Apple Support


Safe Mode cleans up and rebuilds various caches. (It may not clear this case.)


If the Safe Mode boot fails to resolve this, then launch Terminal.app and issue the command:

audit -e


It appears that auditing is enabled, which is common. And that the audit data is not getting cleaned up. Which is not common. (I have the expected week or so of those audit files locally, which means log rotation is working here. But is apparently not working there.) (dialabrain: sudo is your friend. Or can be your enemy. Depending on the command.)


If the deletion via the audit command fails, yes, you can sudo rm and remove those files. With care.


For details on auditing and the above command, use the command-line command:

man audit


And because your data is important, you will want to have complete and current backups before any of this. The above-listed commands are all benign, but some command mistakes can be bad (including those errors involving sudo rm), and other errors and issues are also possible. And there’s already something a little weird happening here.

Reply
User profile for user: VikingOSX
VikingOSX
User level: Level 10
123,416 points

Aug 5, 2023 6:48 AM in response to Stan F.

I had these files in that /private/var/audit folder dating from current back to 2018. Used the following command to trim all but the last 90 days worth:


sudo find /private/var/audit/ -type f -mtime +90 -maxdepth 1 -exec rm -f {} \;


Ironically, Apple's audit app and audit_control were written under contract to Apple by McAfee Research (see man audit_control for that tidbit). Apple has the audit command marked as deprecated in its man page.


The /etc/security/audit_control config file on my Ventura 13.5 suggests it will expire files after 10MB of storage is consumed by them but before the trim job above, I had over 250MB of them.

Reply
User profile for user: Stan F.
Stan F. Author
User level: Level 1
15 points

Aug 4, 2023 4:07 PM in response to Stan F.

Thanks for the suggestions. I did try Safe Start but it didn’t do anything. I probably used Terminal once or twice in 30+ years of Mac ownership. So I am leery of messing around with it. So I did it the old fashioned way. I went to the /private/var folder and then the audit folder. I unlocked the audit folder and deleted a few. Locked the folder back up and waited a few days. Nothing happened. So I went back in and deleted a whole bunch. That will work for me even if they keep accumulating. Thanks again for your comments.



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

/private/var/audit/20201003230440.crash_recovery

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up