We help IT Professionals succeed at work.

recommended partition size to hold auditd logs & BSM logs

sunhux
sunhux used Ask the Experts™
on
If we have a need to retain (can be in zipped/gz format) bsm
(Solaris Basic Security Module), what's the sizing of the partitions
recommended?

I know it depends on the amount of activity but suppose I
currently have 2GB left, how much more to extend?

BSM is merged with auditd logs
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Best to extract the data from the log on an ongoing basis and record it in a searchable db

Since you have to retain the data for a certain duration it is hard to predict how much space you would need.
You could compress.

Author

Commented:
Refer to attached for my current utilization:

Q1:
can auditlog.1/../.9   be compressed or these 'non-readable'
files are already highly-compressed?  
see  /bsm_aud/auditlogs  folder

Q2:
Those big files under ./bsm_aud   ie the
2019mmddhhmmss.SS89  files are quite recent files
& can they be gzipped without any impact??
WLdiskutil.txt
Top Expert 2016
Commented:
how much to increase depends upon the size increase per day.  i.e. if it increases by 1MB /day  and you increase by 1GB then you have 1000 days left
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Better to place this on one partition for "/" as trying to reserve space on a custom partition will either cause you to be short of space, losing log data or create a massive amount of space which remans empty/unused.

Author

Commented:
Ok, from Tivoli/other monitoring tools, guide is to have
30-35% of free disk space.
Distinguished Expert 2017

Commented:
The implementation of a syslog server is fairly straight forward since it is installed by default in all distro's.

You should consider an implementation that extracts the data of interest.
Rsyslog is an improvement over the syslog that is commonly installed on Solaris 10
Do you have, use a monitoring tools some include a syslogger option that can receive notification.