Auditing requires the storage and analysis of a potentially huge amount of data. Before you set up auditing, you need to:
Decide which classes of activity you need to audit. Try to keep these to a minimum.
Plan how you are going to handle the storage and administration of the auditing data.
Each host should have a disk dedicated to audit data collection with a primary partition and a second partition for overflow records.
If you are auditing a network, you should dedicate at least one server to data collection and another server to data administration and analysis. Ideally, you should have your primary and secondary data collection areas on different hosts. In addition, you should reserve a fallback partition on the local hosts in case the network goes down.
Read Trusted Solaris Audit Administration for step-by-step assistance.