When the audit_binfile plugin is active, an audit file system holds audit files in binary format. A typical installation uses the /var/audit file system and can use additional file systems. The contents of all audit file systems comprise the audit trail. Audit records are stored in these file systems in the following order:
Primary audit file system– The /var/audit file system, the default file system for audit files for a system
Secondary audit file systems – File systems where the audit files for a system are placed at administrator discretion
The file systems are specified as arguments to the p_dir attribute of the audit_binfile plugin. A file system is not used until a file system that is earlier in the list is full. For an example with a list of file system entries, see How to Create ZFS File Systems for Audit Files.
Placing the audit files in the default audit root directory assists the audit reviewer when reviewing the audit trail. The auditreduce command uses the audit root directory to find all files in the audit trail. The default audit root directory is /var/audit.
You can use the following options with the auditreduce command:
The –M option to the auditreduce command can be used to specify the audit files from a specific machine.
The –S option can be used to specify a different audit file system.
The audit service provides commands to combine and filter files from the audit trail. The auditreduce command can merge audit files from the audit trail. The command can also filter files to locate particular events. The praudit command reads the binary files. Options to the praudit command provide output that is suitable for scripting and for browser display.