Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

How to Merge Audit Files From the Audit Trail

By merging the audit files from all the audit directories, you can analyze the contents of the entire audit trail.


Note -  Because the time stamps in the audit trail are in Coordinated Universal Time (UTC), the date and hour must be translated to the current time zone to be meaningful. Keep this point in mind whenever you manipulate these files with standard file commands rather than with the auditreduce command.

Before You Begin

You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Create a file system for storing merged audit files.

    To lessen the chance of reaching the limit of disk space, this file system should be in a different zpool from the file systems that you created in How to Create ZFS File Systems for Audit Files to store the original files.

  2. Merge the audit records in the audit trail.

    Go to the directory for storing merged audit files. From this directory, merge the audit records into a file with a named suffix. All directories in the audit trail on the local system are merged and placed in this directory.

    # cd audit-storage-directory
    # auditreduce Uppercase-option -O suffix

    The uppercase options of the auditreduce command manipulate files in the audit trail. The uppercase options include the following:

    –A

    Selects all of the files in the audit trail.

    –C

    Selects complete files only.

    –D

    Selects files to be deleted.

    –M

    Selects files with a particular suffix. The suffix can be a physical machine name or a suffix that you have specified for a summary file.

    –O suffix

    Creates an audit file with 14-character time stamps for both the start time and the end time, with the suffix suffix in the current directory.

    –R pathname

    Specifies to read audit files in pathname, an alternate audit root directory.

    –S server

    Specifies to read audit files from the specified server.

    For the full list of options, see the auditreduce(1M) man page.

Example 45  Copying Audit Files to a Summary File

In this example, an administrator who is assigned the System Administrator rights profile copies all files from the audit trail into a merged file on a different file system. The/var/audit/storage file system is on a separate disk from /var/audit which functions as the audit root file system.

$ cd /var/audit/storage
$ auditreduce -A -O All
$ ls /var/audit/storage/*All
20100827183214.20100827215318.All

In the following example, only complete files are copied from the audit trail into a merged file. The complete path is specified as the value of the –0 option. The last component of the path, Complete, is used as the suffix.

$ auditreduce -C -O /var/audit/storage/Complete

$ ls /var/audit/storage/*Complete
20100827183214.20100827214217.Complete

In the following example, by adding the –D option, the original audit files are deleted.

$ auditreduce -C -O daily_sys1.1 -D sys1.1

$ ls *sys1.1
20100827183214.20100827214217.daily_sys1.1