Yup, discovered that. So what I do now is to analyze the old one, put the results in the
file that gets grabbed by the Unix box, and then run that SET command.
Seems to work OK so far.
Sampsa
On 11 Jan 2010, at 16:05, gerry77 at
mail.com wrote:
On Mon, 11 Jan 2010 13:18:42 +0000, you wrote:
Gents,
I'm in the process of installing ArcSight on my network, and basically
it works by running an ANALYZE/AUDIT/FULL command on SECURITY.AUDIT
$JOURNAL and then importing the output file on a separate Unix for log
processing.
I'm trying to find a way of clearing the current audit log (since I'm
extracting the events out of it, i don't want duplicates, /SINCE risks
missing events that happen within the delta). What is the proper way
of clearing the security audit log?
What about SET AUDIT/SERVER=NEW_LOG to create a new version of the journal
before processing (i.e.: create new log then analyze the old one)? :-)
HTH,
G.