The audit remote server (ARS) receives audit records over a secure link from audited systems and stores the records.
The reception relies on the following being configured:
A Kerberos realm with specific audit principals and a GSS-API mechanism
The ARS with at least one configured and active connection group
At least one audited system in the connection group and a configured and active audit_remote plugin
A connection group is specified in the group property of the ARS. For file management, group can limit the size of an audit file and specify the minimum free space. The primary reason to specify different connection groups is to specify different storage locations on the ARS, as shown in Example 26, Streaming Audit Records to Different File Locations on the Same ARS.
For more information about the ARS, see the ars(7) man page. For ARS configuration information, see the –setremote option in the auditconfig(8) man page.
To configure the audited systems, see the audit_remote(7) man page and the –setplugin option in the auditconfig(8) man page.