To support efficient operation of audit disposition, and to accurately process records in the audit log, an audit processing application must set bookmarks. A bookmark is a leave-off point in the audit log, which indicates the last record processed by the audit processing application. When an audit processing application ends a session, it sets its bookmark with an audit sequence number corresponding to the last record processed; when it later starts a new session, it retrieves its bookmark and resumes processing at the audit sequence number where it left off.
There can be multiple bookmarks, each reflecting a different audit processing application. Audit disposition deletes only those audit entries with audit sequence numbers less than the lowest-valued bookmark. In this way, audit disposition ensures that only those audited events that were previously processed by audit processing applications are deleted.
You can also configure audit disposition policies on this tab. See Configuring an audit disposition policy for more information about audit disposition policies.
If an audit processing client neglects to create its bookmark, audit disposition is controlled solely by the audit disposition policy and unprocessed audited entries might be deleted prematurely. If the client neglects to update its bookmark, the disposition thread might skip previously processed records that can be deleted. If you permanently discontinue running your audit processing client, delete the bookmark associated with the client.
TIP If you encounter a bookmark that does not change for an extended period, verify whether the analytic process that is responsible for the bookmark is still in use. If it is not, delete the bookmark.
To manage bookmarks