If your security policy requires that all audit data be saved, prevent audit record loss by observing the following practices.
Set a minimum free size on the audit_binfile plugin by using the p_minfree attribute.
The audit_warn email alias sends a warning when the disk space fills to the minimum free size. See Example 23, Setting a Soft Limit for Warnings.
Set up a schedule to regularly archive audit files.
Archive audit files by backing up the files to offline media. You can also move the files to an archive file system.
If you are collecting text audit logs with the syslog utility, archive the text logs. For more information, see the logadm(8) man page.
Save and store auxiliary information.
Be sure to archive information that is necessary to interpret audit records along with the audit trail. Minimally, you should save passwd, group, and hosts. You also might archive audit_event and audit_class.
Keep records of which audit files have been archived.
Store the archived media appropriately.
Reduce the amount of file system capacity that is required by enabling ZFS compression.
On a ZFS file system that is dedicated to audit files, compression shrinks the files considerably. For an example, see How to Compress Audit Files on a Dedicated File System.
Reduce the volume of audit data that you store by creating summary files.
You can extract summary files from the audit trail by using options to the auditreduce command. The summary files contain only records for specified types of audit events. To extract summary files, see Example 32, Combining and Reducing Audit Files and Example 34, Merging Selected Records to a Single File.