The audit system includes several components. The main components are:
The sybsecurity device and the sybsecurity database, which stores audit information
The audit trail, which consists of several audit devices and tables that you determine at configuration time
The syslogs transaction log device, which stores transaction logs
The sybsecurity device stores the sybsecurity database. The sybsecurity database is created as part of the auditing configuration process. It contains all the system tables in the model database, as well as a system table for keeping track of server-wide auditing options and system tables for the audit trail.
The Cluster Edition stores the audit trail in system tables, named sysaudits_01 through sysaudits_08. At any given time, only one of the audit tables is current. The Cluster Edition writes all audit data to the current audit table. A System Security Officer can use sp_configure to set or change which audit table is current.
When you configure the Cluster Edition for auditing, you determine the number of audit tables for your installation. You can specify up to eight system tables (sysaudits_01 through sysaudits_08). Plan to use at least two or three system tables for the audit trail and to put each system table on its own device, separate from the master device. If you do this, you can use a threshold procedure that archives the current audit table automatically, before it fills up and switches to a new, empty table for subsequent audit records.
During auditing configuration, you must specify a separate device for the syslogs system table, which contains the transaction log. The syslogs table, which exists in every database, contains a log of transactions that are executed in the database.
