How to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the following:

1. Set up a schedule to regularly archive audit files. Set up a schedule to delete the archived audit files from the audit file system.

2. Manually archive audit files by backing up the files on tape. You can also move the files to an archive file system.

3. Store context-sensitive information that is necessary to interpret audit records, along with the audit trail.

4. Keep records of which audit files are moved offline.

5. Store the archived tapes appropriately.

6. Reduce the volume of audit data that you store by creating summary files.

   You can extract summary files from the audit trail by using options to the auditreduce command. The summary files then contain only records for certain specified types of audit events. For examples, see Example—Combining and Reducing Audit Files and Example—Copying Selected Records to a Single File.