If you are using the audit_binfile plugin, storage cost is the most significant cost of auditing. The amount of audit data depends on the following:
Number of users
Number of systems
Amount of use
Degree of traceability and accountability that is required
Because these factors vary from site to site, no formula can predetermine the amount of disk space to set aside for audit data storage. Use the following information as a guide:
Understand the audit classes
Before you configure auditing, you should understand the types of events that the classes contain. You can change the audit event-class mappings to optimize audit record collection.
Preselect audit classes judiciously to reduce the volume of records that are generated.
Full auditing, that is, with the –all class, fills disk space quickly. Even a simple task such as compiling a program could generate a large audit file. A program of modest size could generate thousands of audit records in less than a minute.
For example, by omitting the –file_read audit class, fr, you can significantly reduce audit volume. By choosing to audit for failed operations only, you can at times reduce audit volume. For example, by auditing for failed file_read operations, -fr, you can generate far fewer records than by auditing for all file_read events.
If you are using the audit_binfile plugin, efficient audit file management is also important. For example, you can compress a ZFS file system that is dedicated to audit files.
Develop a philosophy of auditing for your site.
Base your philosophy on measures such as the amount of traceability that your site requires, and the types of users that you administer.