Controlling the Audit Trail Size
By default, audit trail files are limited to a size of 2 MB. When the audit service detects that the trail file will grow larger than this value, it closes the file, creates a new unique name for the file by using timestamp information, and then opens a new trail file with the original name. It then proceeds to write new audit logs to this file. When this file grows too large, this process is repeated.
If you wish to change the size of the audit trail file, you must set the environment variable DCEAUDITTRAILSIZE to the size you require before starting the application that is using the audit service. Setting this environment variable overrides the default 2 MB size limit.
For example, if you wish to use a trail file size of 5 MB, the value of DCEAUDITTRAILSIZE should be as follows:
DCEAUDITTRAILSIZE 5000000
You can also allow the audit daemon to "wrap'' around the central trail file when its limit (the default 2 MB or set by DCEAUDITTRAILSIZE) is reached. To do this, you should start the audit daemon with the -wrap option:
auditd -wrap
You may also want to use this option if old audit records have little or no value and you want to keep only relatively recent records.
A trail size limit can also be set using the -s option of the auditd command. The limit set using this method overrides the default 2 MB limit.
If for any reason you desire to take a snapshot of the audit trail before it reaches the limit, you can use the dcecp aud disable command to disable logging and then copy the file. You can then use the dcecp aud rewind command to rewind the central audit trail file. (Note that, if required, you can back up this audit file at this time. But, if backup is desired, it is best to let the audit service automatically create new trail files and back these up.) Then use the aud enable command to enable the audit daemon's logging service again.