If you would indulge my simpler in comparison question of the group. I am setting up audit
on heavy usage systems. I have setup my auditd.conf to rotate the files once they get to 70
meg and allow up to 12 rotated files. I created a cron that runs hourly to look and see if
a ninth rotated file exists and if so run "ausearch -i" outputted to a file and store the
file, then remove the rotated files. I run the cron to avoid losing data if there is alot of activity
and rotated files are rolled off. I also have to balance performance with auditing in this
arrangement.
My question is: is there a better way to do this?
Thanks.