How to Merge Audit Files From the Audit Trail

By merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/auditserver-name/files, the auditreduce command can find the output file without your specifying the full path.

This procedure applies only to binary audit records.

1. Assume a role that includes the Audit Review profile, or become superuser.

   The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

2. Create a directory for storing merged audit files.

   # mkdir audit-trail-directory

3. Limit access to the directory.

   # chmod 700 audit-trail-directory # ls -la audit-trail-directory drwx------ 3 root sys 512 May 12 11:47 . drwxr-xr-x 4 root sys 1024 May 12 12:47 ..

4. Merge the audit records in the audit trail.

   Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.

   # cd audit-trail-directory # auditreduce -Uppercase-option -O suffix

   The uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:

   -A

   Selects all of the files in the audit trail.

   -C

   Selects complete files only. This option ignores files with the suffix not_terminated.

   -M

   Selects files with a particular suffix. The suffix can be a machine name, or it can be a suffix that you have specified for a summary file.

   -O

   Creates an audit file with 14-character timestamps for both the start time and the end time, with the suffix suffix in the current directory.

Example 30–25 Copying Audit Files to a Summary File

In the following example, the System Administrator role, sysadmin, copies all files from the audit trail into a merged file.

$ whoami
sysadmin
$ mkdir /var/audit/audit_summary.dir
$ chmod 700 /var/audit/audit_summary.dir
$ cd /var/audit/audit_summary.dir
$ auditreduce -A -O All
$ ls *All
20030827183214.20030827215318.All

In the following example, only complete files are copied from the audit trail into a merged file.

$ cd /var/audit/audit_summary.dir
$ auditreduce -C -O Complete
$ ls *Complete
20030827183214.20030827214217.Complete

In the following example, only complete files are copied from the example1 machine into a merged file.

$ cd /var/audit/audit_summary.dir
$ auditreduce -M example1 -O example1summ
$ ls *summ
20030827183214.20030827214217.example1summ

Example 30–26 Moving Audit Files to a Summary File

The -D option to the auditreduce command deletes an audit file when you copy it to another location. In the following example, the complete audit files from one system are copied to the summary directory for later examination.

$ cd /var/audit/audit_summary.dir
$ auditreduce -C -O daily_example1 -D example1
$ ls *example1
20030827183214.20030827214217.daily_example1

The audit files from the example1 system that were the input to the *daily_example1 file are removed when this command successfully completes.