System Administration Guide: Security Services

Cost of Storage

Storage cost is the most significant cost of auditing. The amount of audit data depends on the following:

Because these factors vary from site to site, no formula can determine in advance the amount of disk space to set aside for audit data storage.

Full auditing (with the all flag) fills up disks quickly. Even a simple task such as compiling a program of modest size (for example, 5 files, 5000 lines total) in less than a minute could generate thousands of audit records, occupying many megabytes of disk space. Therefore, it is very important to use the preselection features to reduce the volume of records that are generated. For example, by omitting the fr class instead of all classes, you can reduce the audit volume by more than two-thirds. Efficient audit file management is also important after the audit records are created, to reduce the amount of storage that is required.

Before you configure auditing, you should understand the audit flags and the types of events they flag. Develop a philosophy of auditing for your site that is based on the amount of security your site requires, and the types of users you administer.