Hello, I am a newbie to Unix administration (specifically Solaris 9). I have everything setup properly for auditing but I neglected to realize I needed to start a new logfile each week. Thus the one logfile grew to about 2.5GB before the auditreduce command could no longer process the file.

Does anyone know of a way to split a raw binary audit file into two parts that are both useable? I attempted to use split but either because the second part did not have appropriate header information or, more likely, because the split was not exactly on a record boundry the second part is unuseable.

Please help!

Caveat: I know nothing about Solaris audit files, but since there are no answers yet...

dd(1) is a useful tool for dealing with binary data
Are the records in the binary file a fixed size?
If so, and you have an idea how many records you want to copy from the original file, you could do something like
to copy n records from the beginning of the file. Then to copy the remaining m records

Acutally I have no idea the format of the Solaris audit files which is part of the problem. I did some initial searches but could not find specifics on what the records would look like.

FWIW -
read the source for the bsmGUI to find the record structure
SourceForge.net: bsmGUI

An alternative approach might be to try streaming the audit file into your parsing tool instead of opening a file handle within it, thusly: