Advice needed in switching from stream mode to bin mode in AIX auditing

in auditing writes to all files in /etc directory, stream mode auditing is giving me too huge a stream.out file.  First, would it be best for me to switch to bin mode?  

Second, If I want to switch from stream mode to bin mode (aside from changing the config file to say binmode = on streammode = off) is this change in my script all I would have to do to collect the data I want  (the script would run at midnight every night? :

## Shuts down auditing ##
/usr/sbin/audit shutdown
sleep 5
## Saves audit log to a file named with the current day (days overwritten with new data weekly) ##
mv /audit.out /audit/audit`date +%m%a`.log
## Puts every file in the specified directories into the objects file to be audited ##
find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' > /etc/security/audit/objects
## Starts auditing ##
/usr/sbin/audit start
## Starts audit data collection ##
/usr/sbin/auditpr -v < /audit/trail > /audit.out
Who is Participating?
woolmilkporcConnect With a Mentor Commented:
Hi again,
it seems that you didn't quite understand the difference between the stream and bin modes of  auditing in AIX.
In stream mode a stream file is generated continuously, so no need to run auditpr. You always have a clear text audit log.
In bin mode the audit trail (as opposed to the audit stream) uses a binary format, consuming much less space in the filesystem.
Raw data is collected in two alternating bin files, between which will be switched based on a configurable size limit.
Every time a switch occurs the contents of the affected bin file are appended to the trail file (using the command defined in "bincmds"), whose location is configurable in the config file.
The binary data can additionally get compressed, by adding the "-p" flag to "auditcat" in bincmds (if not already present).
Moreover, there is free space monitoring, so that the free space in the filesystem can not fall below a configured minimum due to trail file growth.
Another difference - as opposed to the stream file the trail file is not deleted by default upon "audit start", so there is actually no need to move it away beforehand. (OK, this deletion can be avoided by changing ">" to ">>" in streamcmds).
You need to use "auditpr" in order to view audit data contained in the trail, to convert from binary to text. The trail is continuously managed by the audit subsystem, as I wrote above,  so you need to run auditpr only when you actually want to view the data, or to save them to a file for archiving in text format.  
For long-term archiving you could as well save properly named versions of the binary trail, to save disk space. Process these files with auditpr only when needed.
murkytunaAuthor Commented:
It looks like whenever I run /usr/sbin/auditpr -v < /audit/trail > /audit.out it shows the audit collection of writes to files from the time auditing started to the time that I run the command.  If I don’t run the command for a while and I look at the /.out file it stays the same as it looked the last time I ran that command.  So I guess for data collection on a daily basis, I’d need to run that command at the end of the day, then save the /audit.out file somewhere for that day?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.