How to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the following:

1. Set up a schedule to regularly archive audit files and to delete the archived audit files from the audit file system.

2. Manually archive audit files by backing them up on tape or moving them to an archive file system.

3. Store context-sensitive information that will be needed to interpret audit records along with the audit trail.

4. Keep records of what audit files are moved off line.

5. Store the archived tapes appropriately.

6. Reduce the volume of audit data you store by creating summary files.

   You can extract summary files from the audit trail using options to auditreduce, so that the summary files contain only records for certain specified types of audit events. An example of this is a summary file containing only the audit records for all logins and logouts. See Chapter 3, Audit Trail Analysis.