audit_close - Linux


audit_close closes the Linux audit log and optionally frees the audit buffer. It is used to ensure that all audit events have been logged to the desired location before closing the audit service.


audit_close [-F|-f]


  • -F, –flush: Flush the audit buffer before closing the log.
  • -f, –force: Force the close even if errors occur.


Close the audit log without flushing the buffer:


Close the audit log and flush the buffer:

audit_close -F

Close the audit log and force the close even if errors occur:

audit_close -f

Common Issues

Permission denied:

Ensure that you have sufficient privileges to close the audit log.

Audit buffer already closed:

Restart the audit daemon to recreate the audit buffer.


audit_close can be used in conjunction with other audit commands, such as auditctl, to manage the audit system. For example, you can use the following script to close the audit log and stop the audit service:


systemctl stop auditd.service

Related Commands

  • auditd
  • auditctl
  • aureport