Advice needed in switching from stream mode to bin mode in AIX auditing

in auditing writes to all files in /etc directory, stream mode auditing is giving me too huge a stream.out file.  First, would it be best for me to switch to bin mode?  

Second, If I want to switch from stream mode to bin mode (aside from changing the config file to say binmode = on streammode = off) is this change in my script all I would have to do to collect the data I want  (the script would run at midnight every night? :

## Shuts down auditing ##
/usr/sbin/audit shutdown
sleep 5
## Saves audit log to a file named with the current day (days overwritten with new data weekly) ##
mv /audit.out /audit/audit`date +%m%a`.log
## Puts every file in the specified directories into the objects file to be audited ##
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' > /etc/security/audit/objects
## Starts auditing ##
/usr/sbin/audit start
## Starts audit data collection ##
/usr/sbin/auditpr -v < /audit/trail > /audit.out
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

murkytunaAuthor Commented:
It looks like whenever I run /usr/sbin/auditpr -v < /audit/trail > /audit.out it shows the audit collection of writes to files from the time auditing started to the time that I run the command.  If I don’t run the command for a while and I look at the /.out file it stays the same as it looked the last time I ran that command.  So I guess for data collection on a daily basis, I’d need to run that command at the end of the day, then save the /audit.out file somewhere for that day?
Hi again,
it seems that you didn't quite understand the difference between the stream and bin modes of  auditing in AIX.
In stream mode a stream file is generated continuously, so no need to run auditpr. You always have a clear text audit log.
In bin mode the audit trail (as opposed to the audit stream) uses a binary format, consuming much less space in the filesystem.
Raw data is collected in two alternating bin files, between which will be switched based on a configurable size limit.
Every time a switch occurs the contents of the affected bin file are appended to the trail file (using the command defined in "bincmds"), whose location is configurable in the config file.
The binary data can additionally get compressed, by adding the "-p" flag to "auditcat" in bincmds (if not already present).
Moreover, there is free space monitoring, so that the free space in the filesystem can not fall below a configured minimum due to trail file growth.
Another difference - as opposed to the stream file the trail file is not deleted by default upon "audit start", so there is actually no need to move it away beforehand. (OK, this deletion can be avoided by changing ">" to ">>" in streamcmds).
You need to use "auditpr" in order to view audit data contained in the trail, to convert from binary to text. The trail is continuously managed by the audit subsystem, as I wrote above,  so you need to run auditpr only when you actually want to view the data, or to save them to a file for archiving in text format.  
For long-term archiving you could as well save properly named versions of the binary trail, to save disk space. Process these files with auditpr only when needed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.