Monday, October 12, 2009

Too Big An Audit Log To Handle

Have you ever encounter Solaris audit log that has not been rotated for months ? It is just far too big for some of the down stream programs to handle. Click here for a sample of the output from praudit -l. Here is a sample script to 'chop' them into individual files based on day. With this simple script, now you can handle audit log with ease.
IFS_orig=$IFS
cd /var/audit
praudit -l 2009052803069.20091009095022.myhost | while read line
do
        IFS=","
        set -- $line
        d=$7
        IFS=$IFS_orig
        set -- $d
        ymd=$1
        echo $line >> $ymd.txt
done

Labels:

0 Comments:

Post a Comment

<< Home