If you would indulge my simpler in comparison question of the group. I
am setting up audit
on heavy usage systems. I have setup my auditd.conf to rotate the files
once they get to 70
meg and allow up to 12 rotated files. I created a cron that runs hourly to
look and see if
a ninth rotated file exists and if so run "ausearch -i" outputted to a file
and store the
file, then remove the rotated files. I run the cron to avoid losing data if
there is alot of activity
and rotated files are rolled off. I also have to balance performance with
auditing in this
arrangement.
My question is: is there a better way to do this?
Thanks.