Another thing: Anyone know how to make the standard SSHD (TCP/IP services 5.4, I think) report login failures into the security journal? At the moment the Telnet and DECNET login stuff is logged, but now SSH. Any ideas? Sampsa On 11 Jan 2010, at 16:05, gerry77 at mail.com wrote: On Mon, 11 Jan 2010 13:18:42 +0000, you wrote: Gents, I'm in the process of installing ArcSight on my network, and basically it works by running an ANALYZE/AUDIT/FULL command on SECURITY.AUDIT $JOURNAL and then importing the output file on a separate Unix for log processing. I'm trying to find a way of clearing the current audit log (since I'm extracting the events out of it, i don't want duplicates, /SINCE risks missing events that happen within the delta). What is the proper way of clearing the security audit log? What about SET AUDIT/SERVER=NEW_LOG to create a new version of the journal before processing (i.e.: create new log then analyze the old one)? :-) HTH, G.