09-26-2011 08:42 AM
The auditing operation and filtering is done inside the kernel, by necessity, so that sharply limits the ability of the auditing system to make use of non-kernel resources such as the syslog daemon. There's also a significant performance issue involved - you wouldn't want each open() or read() system call to have to wait on a congested network connection, or hang your system because of a network outage, as it was trying to reach an unreachable syslog server.
I'd suggest a cron job to periodically run the audit_p2l script or something like it to deliver the accumulated audit information into syslog.
Audit Reporting Tools - A set of tools that facilitates the processing of previously collected HP-UX raw audit data and extracts useful information for compliance reporting purposes. The audit reporting tools consist of the following main components:
- An Audit DPMS service module, audit_hpux_portable, that handles audit data that is portable from systems to systems, and good for retention purpose. Also a sample script, audit_p2l, that demonstrates how to convert the portable data into syslog-like messages.