The .zat audit trail files written by the SCB is a proprietary binary file format that is compressed on-the-fly.
The size of the files heavily depend on the type of actions made by the monitored user, but also on the screen
resolution used in graphical connections. If file transferring within the session is also audited by SCB, the size
of the transferred file must be calculated in addition.
The typical size of the audit trail files, assuming typical administrative workflow, depending on the terminal
window size and the screen resolution:
■ SSH / Telnet: ~ 15-35 KB / minute (~1-2 MB / hour)
■ RDP: ~2-10 MB / minute *
■ Citrix ICA: ~1-5 MB / minute *
■ VNC: ~5-20 MB / minute *
■ HTTP: depending on the monitored web content.
The screen resolution of the graphical sessions has significant impact onto the size of the audit trail file. The following examples are for audit trails containing constant activity. The administrative activity is typically not sustained in real life, therefore we calculate with different size for disk occupation. More sophisticated disk occupation sizing should be the outcome of Proof of Concept.
■ 1024x768: less than 1 MB / minute.
■ 1680x931: ~5 MB / minute.
■ 1920x1080: ~10 MB / minute.