To Combine Selected Audit Files

Although auditreduce can do this type of combination and deletion automatically (see the -C and -D options in the auditreduce(1M) man page), it is often easier to select the files manually (perhaps with find) and use the auditreduce command to combine just the named set of files.

1. List the audit files as arguments to the auditreduce command.

   In the following example, a recurring job that starts a bit before midnight merges the audit files from two days before. The final time on the file is the time the job ended, here just before midnight, Greenwich Mean Time (GMT).

   $ auditreduce 19970413000000.19970413235959.grebe \ 19970413000000.19970413235959.willet \ 19970413000000.19970413235959.sora $ ls *audubon 19970413000000.19970414235959.audubon

2. Delete the input files and move the output file to the audit root directory on the administration server.

   In this example, the auditreduce(1M) command was run on the audit administration server, audubon, and then placed in its audit root directory so that future calls to auditreduce locate the file.

   $ rm /etc/security/grebe/files/19970413000000.19970413235959.grebe $ rm /etc/security/willet/files/19970413000000.19970413235959.willet $ rm /etc/security/sora/files/19970413000000.19970413235959.sora $ mv 19970413000000.19970414235959.audubon /etc/security/audit/audubon/files/