1. Locate and check the size of the current SECURITY.AUDIT$JOURNAL file:
$ SET DEFAULT SYS$MANAGER $ DIRECTORY /SIZE /DATE /PROTECTION SECURITY$AUDIT$JOURNAL Directory SYS$COMMON:[SYSMGR] SECURITY.AUDIT$JOURNAL;18 271030 1-AUG-2018 10:03:56.14 (RWED,RWED,RE,) SECURITY.AUDIT$JOURNAL;17 636538 4-FEB-2018 08:37:07.26 (RWED,RWED,RE,) Total of 2 files, 907568 blocks.
2. Create a new version of the SECURITY.AUDIT$JOURNAL logfile:
$ ! Requires SECURITY, and possibly SYSPRV, privilege: $ SET PROCESS /PRIVILEGE=(SYSPRV,SECURITY) $ SET AUDIT /JOURNAL=SECURITY /THRESHOLD=WARN=200 ! resets space-monitoring $ SET AUDIT /SERVER=NEW_LOG $ SET PROCESS /PRIVILEGE=(NOSYSPRV,NOSECURITY)
3. Purge old file versions to free up space – keep as many recent versions as you like, but consider whether you'll ever actually need to investigate events in those older files (it hardly ever happens, but again, YMMV).
$ PURGE /KEEP=2 SECURITY.AUDIT$JOURNAL $ SET PROCESS /PRIVILEGE=(NOSYSPRV,NOSECURITY)
Of course, you can PURGE /KEEP= any number of versions that you like or need – just don't “keep everything,” as most older versions of this file are just obsolete junk-data (past a certain reasonable “shelf-life”).
If external and/or formal audits are a business requirement, consider archiving older versions of SECURITY.AUDIT$JOURNAL offline (e.g., to tape or nearline SAN storage, etc.) so that date-stamped (historical) versions of the file can be produced for auditing examination and approval.
Different systems and business environments have different operational requirements, but here are a few rules of thumb, and your own specific requirement is likely a combination of two or more of these: