| |
This section describes how you can use AUDITCON to close, copy, delete, and display the server's old audit files. These mechanisms work only for old audit files, that is, the files maintained online by the server.
You cannot perform these operations on offline audit data files. The only operation you can perform on the server's current audit file is to reset the file, which causes the server to roll over to a new current audit file.
Choose Audit files maintenance from the Available audit options menu (101).
Press Enter.
AUDITCON displays menu 700, which lists more maintenance options.
Figure 63
Menu 700: Audit Files Maintenance
This section describes how to copy old online audit files to removable media (for example, diskettes or magnetic tapes), workstation directories, or network drives. The primary reason for copying an audit file is to save the contents of the file before you delete it from the server (see Delete Old Audit File). You might also want to copy an old audit file to removable media in order to save it for evidence or to keep it for long-term storage.
Choose Copy old audit file from the Audit files maintenance menu (700).
AUDITCON displays menu 710, which lists up to 15 old audit files that are maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).
Figure 64
Menu 710: Select Old Audit file
NOTE: There is no mechanism for copying the contents of the current audit file. If you want to copy this data, you must first reset the audit data file as described in Reset Audit Data File.
You can only copy one file at a time. If you want to copy multiple audit files, perform the steps in this section once for each file.
Move the cursor to choose the desired audit file, then press Enter.
AUDITCON prompts you for the name of the offline audit file.
Enter the filename of the destination audit file and press Enter.
The pathname must be a DOS pathname on your local workstation, for example, A:\AUDIT301.DAT, C:\AUDIT\FILE1.DAT, or F:\AUDITOR\VOL1\A950224.DAT.
If you do not specify a drive letter and directory, AUDITCON leaves the audit file in your current directory. The default filename is AUDITOLD.DAT on your local drive.
AUDITCON displays a Please wait message while it copies the audit file from the server to your offline destination file. When it has copied the file, AUDITCON returns to menu 700.
If you copy audit files from the server onto your local workstation's file system, you must ensure that the audit data is properly protected by your workstation.
If you copy the audit file onto removable media (for example, a diskette or tape cartridge), attach a diskette or tape label that shows the server name, volume name, your name, the date, time, and size of the audit file, along with any other specific comments that you feel are important. Finally, you must ensure that the media is physically protected.
The purpose of this information is to ensure that you can load the medium in the future, and generate meaningful audit reports from it.
NOTE: One strategy that is commonly used is to set the maximum audit file size so that one audit file will fit on a 1.44 MB diskette. See Changing a Volume Audit Configuration for information on setting the audit file size.
If you have a high volume of audit data, you will probably want to archive your audit files onto magnetic tape, for example, tape cartridges. AUDITCON does not provide a means for copying audit files directly to magnetic tape. If you want to use magnetic tape for long-term storage, you must first copy those files onto your file system, then use a backup program to copy the files to magnetic tape.
The frequency at which you should copy the server's audit files to offline storage depends on how fast your server fills up audit files. If your server archives audit files on a periodic basis (as opposed to filling up the audit file), then you can set the number of audit files to 10 or 15, and copy or remove online audit files once per week without expecting to overflow the number of audit files.
This section describes how to delete an old audit file from the server's online storage after you've copied the file to offline storage or decided that you do not need to save the file.
Choose Delete old audit file from the Audit files maintenance menu (700).
AUDITCON displays menu 720, which lists up to 15 old audit files that are maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).
Figure 65
Menu 720: Select Old Audit File
NOTE: There is no mechanism for deleting the current audit file. If you want to delete the data in the current audit file, you must first reset the audit data file (see Reset Audit Data File).
You can only delete one file at a time. If you want to delete multiple audit files, perform the steps in this section once for each file.
Move the cursor to choose the desired audit file, then press Enter.
AUDITCON asks you to confirm that you want to delete the audit file.
WARNING: After you delete an online audit file, there is no way to recover the contents of the file. Do not delete the file unless you are absolutely certain that you will not require the data in the audit file. If there is any doubt, copy the audit file (see Copy Old Audit File) to offline storage before you delete the file.
If you are certain that you want to delete the old audit file, press Enter.
This section describes how to reset the current audit file. Resetting a file is a manual means of causing the current audit file to roll over, that is, to cause the current audit file to become an old audit file and to establish a new current audit file.
Manual reset might be necessary, for example, if the server stops processing volume requests because the volume is in an overflow state. See Resolving Volume Audit Problems for information on recovering from volume overflow.
Choose Reset audit data file from the Audit files maintenance menu (700).
AUDITCON requests confirmation that you want to perform the reset.
If you perform the reset, the current audit file will become an old audit file and a new current audit file will be created.
Choose Yes and press Enter to reset the current volume audit file.
| |