To Restore Audit Files

1. As role admin, in an admin_high workspace, go to the directory where the audit files are to be placed.

   $ cd /etc/security/audit/system_name[.n]/reports

2. Allocate, at the label admin_high, the tape drive that you are going to use to restore the files.

   If you are unfamiliar with device allocation, see To Allocate and Deallocate Devices.

3. Use the tar(1) command to copy the audit files and their Trusted Solaris security attributes, such as the label, from the tape.

   For example,

   $ tar xvT \ /etc/security/audit/grebe/files/19980513120429.19980513180433.grebe

4. Deallocate the tape drive when finished and follow the Device Manager's instructions.

5. Use the restored audit files.

   You may need to restore or refer to other system information from the audit backup's associated system backup.

6. As role admin, at label admin_high, remove the audit files when you are done.

   $ rm /etc/security/audit/system_name/reports/19980513120429.19980513180433.grebe