If your security policy requires that all audit data be saved, prevent audit record loss by observing the following practices.
Set a minimum free size on the audit_binfile plugin.
Use the p_minfree attribute.
The audit_warn email alias sends a warning when the disk space fills to the minimum free size. See Example 4–7.
Set up a schedule to regularly archive audit files.
Archive audit files by backing up the files to offline media. You can also move the files to an archive file system.
If you are collecting text audit logs with the syslog utility, archive the text logs. For more information, see the logadm(1M) man page.
Save and store auxiliary information.
Archive information that is necessary to interpret audit records along with the audit trail. Minimally, you save the passwd, group, and hosts files. You also might archive the audit_event and audit_class files.
Keep records of which audit files have been archived.
Store the archived media appropriately.
Reduce the amount of file system capacity that is required by enabling ZFS compression.
On a ZFS file system that is dedicated to audit files, compression shrinks the files considerably. For an example, see How to Compress Audit Files on a Dedicated File System.
Reduce the volume of audit data that you store by creating summary files.
You can extract summary files from the audit trail by using options to the auditreduce command. The summary files contain only records for specified types of audit events. To extract summary files, see Example 5–4 and Example 5–6.