The Auditing service on Oracle Linux collects data at the kernel level that you can analyze to identify unauthorized activity. Auditing collects more data in greater detail than system logging, but most audited events are uninteresting and insignificant. The process of examining audit trails to find events of interest can be a significant challenge that you can automate.

The audit configuration file, /etc/audit/auditd.conf, defines the data retention policy, the maximum size of the audit volume, the action to take if the capacity of the audit volume is exceeded, and the locations of local and remote audit trail volumes. The default audit trail volume is /var/log/audit/audit.log.

For more detailed information about auditing and monitoring Oracle Linux systems, see Oracle Linux 8: Monitoring and Tuning the System.