To Prevent Audit Trail Overflow by Planning Ahead

If your security policy requires that all audit data be saved, do the following:

1. Set up a schedule to regularly archive audit files and to delete the archived audit files from all audit file systems.

   The schedule must permit files to be deleted from the system before the hard limit of the system is reached. Scripts, including modified audit_warn scripts, can automatically move audit files to a separate disk before archiving.

2. Manually archive audit files by backing them up on tape or moving them to an archive file system.

3. Store context-sensitive information that will be needed to interpret audit records along with the audit trail.

   For example, the current list of users and passwords, the directory listings on the workstations, and other volatile information should be saved.

4. Keep records of what audit files are moved off line.

5. Store the archived tapes appropriately.

6. Reduce the volume of audit data you store by creating summary files.

   You can extract summary files from the audit trail using options to auditreduce, so that the summary files contain only records for certain specified types of audit events. An example of this would be a summary file containing only the audit records for all logins and logouts. See The Audit Trail.