Merging the Audit Trail

The auditreduce command merges audit records from one or more input audit files to create a single, chronologically ordered output file. On a distributed system, the input audit files originate from different hosts. Therefore, when issued from the audit administration server, the auditreduce command treats the distributed system as if it were one system. This treatment simplifies audit administration. Coupled with backup audit partitions, the distributed system is robust in the face of system failures.

The auditreduce command also includes options for selecting sets of records to examine. For instance, records from the past 24 hours can be selected to generate a daily report; all records generated by a specific user can be selected to examine that user's activities; or all records caused by a specific event type can be selected to see how often that type occurs.