OS X Private Folder – Runaway file “crash recovery” 126.61GB!

crashdisk-spacesnow leopard

Woke up this morning any my 250GB, which had approx. 50% free space last night, was totally out of disk space!

Took me all day, but finally found a file in /private/var/audit/ called "20110423020458.crash_recovery" that is 126.61GBytes!

I've tried running daily/weekly/monthly via Onyx. Running most all the cache cleaning scripts. Used Techtool, the DiskWarrior. Finally went to SnowLeopard Cache Cleaner and Applejack deep cleaning.

Nothing got rid of it. Only reason I eventually found the file at all is that it showed up in DaisyDisk (it didn't in other mappers).

Question is => is it safe top delete /private/var/audit/20110423020458.crash_recovery ?

I know there is various Unix core stuff in /private, but that is about the limit of my knowledge there. I've got all manner of good backups (CCL, Time Machine, Dropbox) – so I'm not as worried about data loss as I am jsut anxious to get my system back (everything working normal except disk space issued…booted from external drive and deleted 5GB to make some breathing room).

Thanks for any advice / tips in advance! – Larry

(System: MBP Late 2010 Unibody, 8GB RAM, 250GB HD, OS 10.6.7)

Best Answer

Yes. You have enabled auditing somewhere along the line, being a wise person, but you have not trimmed the file, being a human, like I. Note the instant edit ;)

man -k audit

if you can get a shell will show you where you need to go

( look at them on the apple dev site )

i think here you want 

audit -e

to get rid of your old audit files.

From the man page:

The audit utility controls the state of the audit system. One of the following flags is required as an argument to audit:

 -e      Forces the audit system to immediately remove audit log files
         that meet the expiration criteria specified in the audit control
         file without doing a log rotation.

 -i      Initializes and starts auditing.  This option is currently for
         Mac OS X only and requires auditd(8) to be configured to run
         under launchd(8).

 -n      Forces the audit system to close the existing audit log file and
         rotate to a new log file in a location specified in the audit
         control file.  Also, audit log files that meet the expiration
         criteria specified in the audit control file will be removed.

 -s      Specifies that the audit system should [re]synchronize its con-
         figuration from the audit control file.  A new log file will be
         created.

 -t      Specifies that the audit system should terminate.  Log files are
         closed and renamed to indicate the time of the shutdown.

On my system:

ls /var/audit
20110414160828.20110415024057 20110420155533.20110421134946
20110415024148.20110416200834 20110421140348.20110421151928
20110416200951.20110417013744 20110421152018.20110422125418
20110417014358.crash_recovery 20110422125606.20110422205003
20110417024720.20110417120347 20110422205003.20110423102007
20110417135346.20110419142539 20110423102114.20110423204207
20110419144659.20110419150605 20110423204320.20110424094847
20110419150626.20110419201121 20110424094940.not_terminated
20110419201223.20110419225009 build
20110419225100.20110420153215 current
[root:8va:0:~ ]# du -h /var/audit
4.0K    /var/audit/build
6.0M    /var/audit

Yes. It's audit -e

[root:8va:0:~ ]# audit -e
Trigger sent.
[root:8va:0:~ ]# du -h /var/audit
4.0K    /var/audit/build
6.0M    /var/audit
Related Question