By merging the audit files from all the audit directories, you can analyze the contents of the entire audit trail.
Before You Begin
You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
To lessen the chance of reaching the limit of disk space, this file system should be in a different zpool from the file systems that you created in How to Create ZFS File Systems for Audit Files to store the original files.
Go to the directory for storing merged audit files. From this directory, merge the audit records into a file with a named suffix. All directories in the audit trail on the local system are merged and placed in this directory.
# cd audit-storage-directory # auditreduce Uppercase-option -O suffix
The uppercase options of the auditreduce command manipulate files in the audit trail. The uppercase options include the following:
Selects all of the files in the audit trail.
Selects complete files only.
Selects files to be deleted.
Selects files with a particular suffix. The suffix can be a physical machine name or a suffix that you have specified for a summary file.
Creates an audit file with 14-character time stamps for both the start time and the end time, with the suffix suffix in the current directory.
Specifies to read audit files in pathname, an alternate audit root directory.
Specifies to read audit files from the specified server.
For the full list of options, see the auditreduce(1M) man page.
In this example, an administrator who is assigned the System Administrator rights profile copies all files from the audit trail into a merged file on a different file system. The/var/audit/storage file system is on a separate disk from /var/audit which functions as the audit root file system.
$ cd /var/audit/storage $ auditreduce -A -O All $ ls /var/audit/storage/*All 20100827183214.20100827215318.All
In the following example, only complete files are copied from the audit trail into a merged file. The complete path is specified as the value of the –0 option. The last component of the path, Complete, is used as the suffix.
$ auditreduce -C -O /var/audit/storage/Complete $ ls /var/audit/storage/*Complete 20100827183214.20100827214217.Complete
In the following example, by adding the –D option, the original audit files are deleted.
$ auditreduce -C -O daily_sys1.1 -D sys1.1 $ ls *sys1.1 20100827183214.20100827214217.daily_sys1.1