InformationThe macOS audit capability contains important information to investigate security or operational issues. This resource is only completely useful if it is retained long enough to allow technical staff to find the root cause of anomalies in the records.
Retention can be set to respect both size and longevity. To retain as much as possible under a certain size the recommendation is to use:
expire-after:60d OR 1G
More info in the man page man audit_control
The audit records need to be retained long enough to be reviewed as necessary.
The recommendation is that at least 60 days or 1 gigabyte of audit records are retained. Systems that very little remaining disk space may have issues retaining sufficient data.
SolutionPerform the following to set the audit retention length:
Edit the /etc/security/audit_control file so that expire-after: is at least 60d OR 1G