To Reduce Audit Files

The auditreduce program can also reduce the number of records in its output file by eliminating the less interesting ones as it combines the input files.

You might use auditreduce to eliminate all except the login/logout events in audit files over a month old, assuming that if you needed to retrieve the complete audit trail you could recover it from backup tapes. The following example selects just the audit records from April 1997.

$ auditreduce -m AUE_LOGIN -a 19970401000000 \
-b 19970501000000 \
-O /usr/audit_summary/logins_april97 

The output is a smaller file containing just the April 1997 login/logout records. Note that the end-time stamp is the date (in GMT) that the command was run (June 1, 1997), not the last date of the merged records. You specified the file suffix, logins_april97, on the command line with the directory name.

/usr/audit_summary/19970401000000.19970601000000.logins_april97