Audit files can grow large. You can set an upper limit to the size of a file, as shown in Example 21, Limiting File Size for the audit_binfile Plugin. In this procedure, you use compression to reduce the size.
Before You Begin
You must become an administrator who is assigned the ZFS File System Management and ZFS Storage Management rights profiles. The latter profile enables you to create storage pools. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
For the procedure, see How to Create ZFS File Systems for Audit Files.
You can compress the audit file system in two different ways. After the audit service is refreshed, the compression ratio is displayed.
In the following examples, the ZFS pool auditp/auditf is the dataset.
# zfs set compression=on auditp/auditf # audit -s # zfs get compressratio auditp/auditf NAME PROPERTY VALUE SOURCE auditp/auditf compressratio 4.54x -
# zfs set compression=gzip-9 auditp/auditf # zfs get compression auditp/auditf NAME PROPERTY VALUE SOURCE auditp/auditf compression gzip-9 local
The gzip-9 compression algorithm results in files that occupy one-third less space than the default compression algorithm, lzjb. For more information, see Chapter 7, Managing Oracle Solaris ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.3.
# audit -s
For example, if you used the higher compression algorithm, the information would be similar to the following:
# zfs get compressratio auditp/auditf NAME PROPERTY VALUE SOURCE auditp/auditf compressratio 16.89x -