Hello, I am a newbie to Unix administration (specifically Solaris 9). I have everything setup properly for auditing but I neglected to realize I needed to start a new logfile each week. Thus the one logfile grew to about 2.5GB before the auditreduce command could no longer process the file.
Does anyone know of a way to split a raw binary audit file into two parts that are both useable? I attempted to use split but either because the second part did not have appropriate header information or, more likely, because the split was not exactly on a record boundry the second part is unuseable.
Please help!
Caveat: I know nothing about Solaris audit files, but since there are no answers yet...
dd(1) is a useful tool for dealing with binary data
Are the records in the binary file a fixed size?
If so, and you have an idea how many records you want to copy from the original file, you could do something like
dd bs=record size count=n if=input file of=1st output file
to copy n records from the beginning of the file. Then to copy the remaining m records
dd bs=record size skip=n count=m if=input file of=2nd output file
Acutally I have no idea the format of the Solaris audit files which is part of the problem. I did some initial searches but could not find specifics on what the records would look like.
FWIW -
read the source for the bsmGUI to find the record structure
SourceForge.net: bsmGUI
An alternative approach might be to try streaming the audit file into your parsing tool instead of opening a file handle within it, thusly:
bsm_parse_tool < auditfile