| |
This section describes how you can use AUDITCON to copy, delete, and display the server's old audit files. These mechanisms work only for old audit files, that is, the files maintained online by the server. You cannot perform these operations on offline audit data files. The only operation you can perform on the server's current audit file is to reset the file, which causes the server to roll over to a new current audit file.
Choose Audit files maintenance from the Available audit options menu (2101).
Press Enter.
AUDITCON displays menu 2700, which lists more maintenance options. These options are described in the following sections.
Figure 123
Menu 2700: Audit Files Maintenance
This section describes how to copy old online audit files to removable media (for example, diskettes or magnetic tapes), workstation directories, or network drives. The primary reason for copying an audit file is to save the contents of the file before you delete it from the server. (see Delete Old Audit File). You might also want to copy an old audit file to removable media to save it for evidence or to keep it for long-term storage.
Choose Copy old audit file from the Audit files maintenance menu (2700).
AUDITCON displays menu 2710, which lists up to 15 old audit files that are maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).
Figure 124
Menu 2710: Select Old Audit File
Move the cursor to choose the desired audit file and press Enter.
AUDITCON then prompts you for the name of the offline audit file.
NOTE: There is no mechanism for copying the contents of the current audit file. If you want to copy this data, you must first reset the audit data file (see Reset Audit Data File).
You can only copy one file at a time. If you want to copy multiple audit files, perform the steps in this section once for each file.
Enter the filename of the destination audit file and press Enter.
The pathname must be a DOS pathname on your local workstation, for example, A:\AUDIT301.DAT, C:\AUDIT\FILE1.DAT, or F:\AUDITOR\VOL1\A950224.DAT. If you do not specify a drive letter and directory, AUDITCON will leave the audit file in your current directory. The default pathname is AUDITOLD.DAT on your local drive.
AUDITCON displays a Please wait message while it copies the audit file from the server to your offline destination file. When it has copied the file, AUDITCON returns to menu 2700.
If you copy audit files from the server onto your local workstation's file system, you must ensure that the audit data is properly protected by your workstation.
If you copy the audit file onto removable media (for example, a diskette or tape cartridge), attach a diskette or tape label that shows the server name, volume name, your name, the date, time, and size of the audit file, along with any other specific comments that you feel are important. Finally, you must ensure that the media is physically protected.
The purpose of this information is to ensure that you can load the medium in the future and generate meaningful audit reports from it.
NOTE: One strategy that is commonly used is to set the maximum audit file size so that one audit file will fit on a 1.44 MB diskette. See Audit Options Configuration for information on setting the audit file size.
If you have a high volume of audit data, you will probably want to archive your audit files onto magnetic tape, for example, tape cartridges. AUDITCON does not provide a means for copying audit files directly to magnetic tape. If you want to use magnetic tape for long-term storage, you must first copy those files onto your file system, then use a backup program to copy the files to magnetic tape.
The frequency at which you copy the server's audit files to offline storage depends on how fast your server fills up audit files. If your server rolls over audit files on a periodic basis (as opposed to filling up the audit file), then you can set the number of audit files to 10 or 15, and copy/remove online audit files once per week without expecting to overflow the number of audit files.
This section describes how to delete an old audit file from the server after you've copied the file to offline storage or decided that you do not need to save the file.
Choose Delete old audit file from the Audit files maintenance menu (2700).
AUDITCON displays menu 2720, which lists up to 15 old audit files that are maintained online by the server. The old audit files are sorted by date and time (oldest first). The dates and times displayed show when the audit file was created (that is, when it started accumulating audit events).
Figure 125
Menu 2720: Select Old Audit File
NOTE: There is no mechanism for deleting the current audit file. If you want to delete the data in the current audit file, you must first reset the audit data file (Reset Audit Data File in this chapter).
You can only delete one file at a time. If you want to delete multiple audit files, perform the steps in this section once for each file.
Move the cursor to choose the desired audit file, then press Enter.
AUDITCON asks you to confirm that you want to delete the audit file.
WARNING: After you delete an online audit file, there is no way to recover the contents of the file. Do not delete the file unless you are absolutely certain that you will not require the data in the audit file. If there is any doubt, copy the audit file to offline storage before you delete the file.
This section describes how to reset the current audit file. Reset is a manual means of causing the current audit file to roll over, that is, to cause the current audit file to become an old audit file and to establish a new current audit file.
Manual reset might be necessary, for example, if the server stops processing external audit requests because the external audit trail is in an overflow state. See Trail Problems for information on recovering from external audit trail overflow.
Choose Reset audit data file from the Audit files maintenance menu (2700).
AUDITCON requests confirmation that you want to perform the reset.
If you perform the reset the current audit file will become an old audit file and a new current audit file will be created.
Choose Yes and press Enter to reset the current external audit file.
| |