=====  How To Rollover Accounting Datafile =====

1. Locate and check the size of the current ACCOUNTNG.DAT file:

<code>
$ SET DEFAULT SYS$MANAGER
$ DIRECTORY /SIZE /DATE /PROTECTION ACCOUNTNG.DAT

Directory SYS$SYSROOT:[SYSMGR]

ACCOUNTNG.DAT;47     1062237  21-JUN-2018 10:53:56.21  (RWED,RWED,RE,)
ACCOUNTNG.DAT;46     1322520   4-FEB-2018 08:38:01.44  (RWED,RWED,RE,)
ACCOUNTNG.DAT;29     3232751  20-SEP-2016 13:25:12.69  (RWED,RWED,RE,)

Total of 3 files, 5617508 blocks.
</code>

2. Create a new version of the ACCOUNTNG.DAT logfile:

<code>
$ SET PROCESS /PRIVILEGE=SYSPRV
$ SET ACCOUNTING /NEW_FILE /LOG
%SET-I-ACCENAB, accounting enabled for PROCESS,INTERACTIVE,LOGIN_FAILURE,SUBPROCESS,DETACHED,BATCH,NETWORK,PRINT,MESSAGE
%SET-I-NEWFILE, new accounting file created
$ SET PROCESS /PRIVILEGE=NOSYSPRV
</code>

3. Purge old file versions to free up space -- keep as many recent versions as you like, but consider whether you'll ever actually need to investigate events in those older files (it hardly ever happens, but again, YMMV).

<code>
$ PURGE /KEEP=2 ACCOUNTNG.DAT
</code>

 Of course, you can ''PURGE /KEEP='' any number of versions that you like or need – just don't “keep everything,” as most older versions of this file are just obsolete junk-data (past a certain reasonable “shelf-life”).

If external and/or formal audits are a business requirement, consider archiving older versions of ACCOUNTNG.DAT offline (e.g., to tape or nearline SAN storage, etc.) so that date-stamped (historical) versions of the file can be produced for auditing examination and approval.  The forensic or auditing value of this file is far less than that of SECURITY.AUDIT$JOURNAL, but it does provide some visibility of system/user process events that could be useful in some security auditing circumstances.

Done.

==== How Often Should ACCOUNTNG.DAT Be Rolled-Over? ====

Different systems and business environments have different operational requirements, but here are a few rules of thumb, and your own specific requirement is likely a combination of two or more of these:

  * Whenever the Accounting Logfile size gets larger than "a few hundred-MB."
  * Specifically per internal or external/regulatory auditing requirements (but less valuable than the Security Audit Journal file).
  * Monthly.
  * Quarterly.
  * Maybe even annually.
  * With every system reboot (not suitable for systems which run for months or years without rebooting).