2.18.8 Preparing the disks used by the audit trail facility
Depending on the number of audit target events that occur, an extremely large number of audit trails might be output. This can result in a large number of I/O operations with respect to the disk to which the audit trails are output, potentially affecting the processing performance of the HADB server. For this reason, we recommend that you prepare a disk (audit trail output disk) to serve as a dedicated output destination for audit trail information. We also recommend that you prepare additional disks for storing audit trail files (an audit trail storage disk and an audit trail long-term storage disk). We recommend that you have these three disks in place when using the audit trail facility. The purpose of each disk is as follows.
-
Audit trail output disk
The only directory created on the audit trail output disk is the audit trail directory. The HADB server outputs audit trail information to this directory. Generally, audit trail files stored on this disk will not be referenced.
Audit trail files are to be regularly moved from the audit trail output disk to the audit trail storage disk. We recommend that you create a batch program that moves the files, and run the program regularly.
-
Audit trail storage disk
The audit trail storage disk stores the audit trail files used for auditing purposes. During auditing, the auditor references audit trail information by specifying the path of the audit trail file on the audit trail storage disk in the ADB_AUDITREAD function. Suppose an auditor will be using one year of audit trail information for auditing purposes. In this case, you would store one year of audit trail files on this disk.
Files older than the auditing period are moved to the audit trail long-term storage disk.
-
Audit trail long-term storage disk
The audit trail long-term storage disk stores the audit trail files from time periods that are no longer subject to auditing. For example, if an audit is conducted each year, audit trail files that are more than one year old are stored on the audit trail long-term storage disk.
Ordinarily, there is no reason to reference the audit trail information in the audit trail files stored on the audit trail long-term storage disk. The audit trail files on this disk might be used if a security incident occurs, or the need arises to audit a time period further in the past.
The following figure shows a recommended approach to operating the audit trail facility.
In the preceding figure, because the audit trail files stored on the audit trail long-term storage disk are accessed infrequently, we recommend that you compress them using the gzip command provided by the OS. Consider the size of the disk when deciding whether to compress the files. Because the audit trail files stored on the audit trail storage disk are referenced during auditing, we recommend that these files are stored uncompressed.
- Important
-
A SELECT statement with the ADB_AUDITREAD function specified can reference audit trail information even if the audit trail file that contains the information is compressed.