Keeping log files
Mont Rothstein
mont.rothstein at gmail.com
Fri Nov 18 19:36:58 UTC 2005
Perfect. That is exactly what I was looking for.
Did I miss this in a man page? If not it might be useful to add.
I understand that I have to uncompress before parsing.
Learning ausearch and aureport are on my list of things to do :-)
Thanks,
-Mont
On 11/18/05, Steve Grubb <sgrubb at redhat.com> wrote:
>
> On Friday 18 November 2005 13:37, Mont Rothstein wrote:
> > To address rotation time all I can think to do is not rotate and instead
> > use cron to periodically rename (with the date), and compress the log
> file.
>
> Starting with 1.0.12, the audit daemon uses SIGUSR1 to tell it to rotate
> log
> files. (this is if you do not want to rotate by size) This was encoded
> into
> the init script so you can do "service auditd rotate" and it will. You can
> then create a cron script that does this. The audit daemon will be
> using /var/log/audit/audit.log (or whatever the config file says) which
> means
> all other files can be zipped if you wish.
>
> Also, "aureport -t" will display the time ranges in the log files. It
> takes
> the "-if" option if you want it to run against a particular file.
>
> > My concern is how to safely get the existing logs and start from scratch
> > without potentially loosing log entries. If I copy the log file and then
> > use /dev/null to clear the existing file, then there is a window between
> > the cp and the /dev/null.
>
> Don't do this.
>
> > If I move the file will a HUP sent to auditd break the connection to the
> old
> > logfile and start a new one?
>
> Haven't checked and its not the preferred way to do things.
>
> > Has anyone else done this? Is there a better option than the ones I've
> > listed here?
>
> Also note that when you zip the files, the audit utilities will no longer
> be
> able to directly read the files. You'll have to unzip the files to do any
> searching/reporting.
>
> -Steve
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20051118/806c8a76/attachment.htm>
More information about the Linux-audit
mailing list