Keeping log files
Steve Grubb
sgrubb at redhat.com
Fri Nov 18 18:59:07 UTC 2005
On Friday 18 November 2005 13:37, Mont Rothstein wrote:
> To address rotation time all I can think to do is not rotate and instead
> use cron to periodically rename (with the date), and compress the log file.
Starting with 1.0.12, the audit daemon uses SIGUSR1 to tell it to rotate log
files. (this is if you do not want to rotate by size) This was encoded into
the init script so you can do "service auditd rotate" and it will. You can
then create a cron script that does this. The audit daemon will be
using /var/log/audit/audit.log (or whatever the config file says) which means
all other files can be zipped if you wish.
Also, "aureport -t" will display the time ranges in the log files. It takes
the "-if" option if you want it to run against a particular file.
> My concern is how to safely get the existing logs and start from scratch
> without potentially loosing log entries. If I copy the log file and then
> use /dev/null to clear the existing file, then there is a window between
> the cp and the /dev/null.
Don't do this.
> If I move the file will a HUP sent to auditd break the connection to the old
> logfile and start a new one?
Haven't checked and its not the preferred way to do things.
> Has anyone else done this? Is there a better option than the ones I've
> listed here?
Also note that when you zip the files, the audit utilities will no longer be
able to directly read the files. You'll have to unzip the files to do any
searching/reporting.
-Steve
More information about the Linux-audit
mailing list