asked on

recommended partition size to hold auditd logs & BSM logs

If we have a need to retain (can be in zipped/gz format) bsm
(Solaris Basic Security Module), what's the sizing of the partitions
recommended?

I know it depends on the amount of activity but suppose I
currently have 2GB left, how much more to extend?

BSM is merged with auditd logs

arnold

Best to extract the data from the log on an ongoing basis and record it in a searchable db

Since you have to retain the data for a certain duration it is hard to predict how much space you would need.
You could compress.

sunhux

ASKER

Refer to attached for my current utilization:

Q1:
can auditlog.1/../.9 be compressed or these 'non-readable'
files are already highly-compressed?
see /bsm_aud/auditlogs folder

Q2:
Those big files under ./bsm_aud ie the
2019mmddhhmmss.SS89 files are quite recent files
& can they be gzipped without any impact??
WLdiskutil.txt

ASKER CERTIFIED SOLUTION

David Johnson, CD

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

David Favor

Better to place this on one partition for "/" as trying to reserve space on a custom partition will either cause you to be short of space, losing log data or create a massive amount of space which remans empty/unused.

sunhux

ASKER

Ok, from Tivoli/other monitoring tools, guide is to have
30-35% of free disk space.

arnold

The implementation of a syslog server is fairly straight forward since it is installed by default in all distro's.

You should consider an implementation that extracts the data of interest.
Rsyslog is an improvement over the syslog that is commonly installed on Solaris 10
Do you have, use a monitoring tools some include a syslogger option that can receive notification.

recommended partition size to hold auditd logs &amp; BSM logs

recommended partition size to hold auditd logs & BSM logs