Example — Combining and Reducing Audit Files

Use auditreduce with the -O option to combine several audit files into one file and to save them in a specified output file. auditreduce can do this type of combination and deletion automatically (see the -C and -D options in the auditreduce(1M) man page). However, it is often easier to select the files manually (perhaps with the find command) and use auditreduce to combine just the named set of files.

When used in this way, auditreduce merges all the records from its input files into a single output file. The input files should then be deleted. In addition, the output file should be kept in a directory that is named /etc/security/audit/server-name/files so that auditreduce can find it.

# auditreduce -O combined-filename

The auditreduce command can also reduce the number of records in its output file by eliminating the less interesting records as it combines the input files. For example, you might use auditreduce to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover it from backup tapes.

# auditreduce -O daily.summary -b 19990413 -c lo; compress *daily.summary
# mv *daily.summary /etc/security/summary.dir