|
|
Audit records generated by an event are eventually written to a log file. Initially, however, audit records are by default written to one of a number of audit buffers in main memory. When an audit buffer reaches the designated high water mark the audit daemon process switches to the next available buffer and marks the full one as writable. The daemon process writes the audit buffer to the audit event log file and returns the buffer to the pool of available buffers.
By default, the log files are kept in the /var/audit directory. You can control the directory used, the size of each file, the action to be taken when the log file is full, and more. You can also specify the auditing data to be backed up to a storage device, such as a tape drive, rather than a regular file. See ``Configuring auditing'' for more information. The default audit event log file is a regular file.