audbin – process audit log files

USAGE
       audbin [OPTIONS] logfile...

DESCRIPTION
       Audbin  can  be  used  to manage audit log files. It is most useful for
       archiving files generated by when running in bin mode.

GENERAL OPTIONS
       -S destination
              Copies the log file to the given  destination.  The  destination
              can contain the following substituion strings:

              %u     generate a number to make the file name unique.

              %t     include the current time stamp as integer (number of sec-
                     onds since January 1st, 1970).

              %h     include the hostname as given in the header of the origi-
                     nal log file.

              %%     include a verbatim percent character.
       The special filename - indicates standard output.

       -C     Clear  the  log  file after saving its contents. This option can
              also be used without the -S option.

ADDITIONAL OPTIONS
       -o     If the destination file exists, overwrite it.

       -a     If the destination file exists, append the contents of  the  log
              file to it.

       -q     Do not print any diagnostic messages to standard output.

       -T <threshold>
              Specify  the  threshold  of  free  blocks  on the -S destination
              filesystem that cannot be exceeded .   must be a dec-
              imal  number,  with  optional  fraction.     can be a
              expressed as a percentage, in which case it must  end  with  the
              ’%’ character.
              Examples:
              -T 15000
              Do  not  allow  the  number of free blocks on the -S destination
              filesystem to fall below 15000 .
              -T 20% Do not allow the number of free blocks  on the -S  desti-
              nation  filesystem  to fall below 20% of the total blocks on the
              filesystem.
              If the  -N  option  is  not  specified,  and  the  threshold  is
              exceeded,  audbin  will  return  an  error to auditd causing the
              ’output { error {’ action specified in  audit.conf  to  be  exe-
              cuted.

       -N <notify command>
              If  the  -T threshold is going to be exceeded by creation of the
              -S destination file, then the  will be run.
              Occurences of the  string  %f  within  the  notify  command  are
              replaced  by  the  path of the oldest file in the -S destination
              directory.
              Example:
              -S /var/log/audit.d/save.%u -T 20% -N ’’mv %f /backup’’
              will, when creation  of  the  new  /var/log/audit.d/save.N  file
              would  cause the free blocks on the /var filesystem to amount to
              less than 20% of the total  blocks,  move  the  oldest  file  in
              /var/log/audit.d  with  a  name  prefixed by ’save.’ to /backup,
              before attempting to create the new save.N file. If the  thresh-
              old is still exceeded, the command is repeated for the next old-
              est file until the disk usage is within the threshold .
              If the -N command should fail (eg. in the example above, if  the
              /backup filesystem is full), then audbin will return an error to
              auditd causing the  ’output  {  error  {’  action  specified  in
              audit.conf to be executed.