1 Configuring and Using Auditing
Auditing collects data at the kernel level for analysis to identify unauthorized activity. Auditing also often collects data in greater detail than system logging does. The process of examining audit trails to find events of interest can be challenging, but it can be automated.
Some definitions in the audit configuration file,
/etc/audit/auditd.conf, include the following:
-
Data retention policy
-
Maximum size of the audit volume
-
Action to take if the capacity of the audit volume is exceeded
-
Locations of local and remote audit trail volumes
The default audit trail volume is the /var/log/audit/audit.log file. For
more information, see the auditd.conf(5) manual page.