Binary audit files grow without limit. For ease of archiving and searching, you might want to limit the size. You can also create smaller binary files from the original file.
Use the p_fsize attribute to limit the size of individual binary audit files.
The p_fsize attribute to the audit_binfile.so plugin enables you to limit the size of an audit file. The default value is zero (0), which allows the file to grow without limit. The value is specified in bytes, from 512,000 to 2,147,483,647. When the specified size is reached, the current audit file is closed and a new file is opened.
In the following example, you limit the size of and audit file to 1Mbyte:
plugin:name=audit_binfile.so; p_dir:/var/audit; p_fsize=1024000
Use the auditreduce command to select records and write those records to a file for further analysis.
The auditreduce -lowercase options find specific records.
The auditreduce -Uppercase options write your selections to a file. For more information, see the auditreduce(1M) man page.