System Administration Guide: Security Services

ProcedureHow to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the following:

  1. Set up a schedule to regularly archive audit files.

    Archive audit files by backing up the files to offline media. You can also move the files to an archive file system.

    If you are collecting text audit logs with the syslog utility, archive the text logs. For more information, see the logadm(1M) man page.

  2. Set up a schedule to delete the archived audit files from the audit file system.

  3. Save and store auxiliary information.

    Archive information that is necessary to interpret audit records along with the audit trail.

  4. Keep records of which audit files have been archived.

  5. Store the archived media appropriately.

  6. Reduce the volume of audit data that you store by creating summary files.

    You can extract summary files from the audit trail by using options to the auditreduce command. The summary files contain only records for specified types of audit events. To extract summary files, see Example 30–30 and Example 30–34.