question
David Flatley
dflatley at us.ibm.com
Mon Nov 3 02:42:47 UTC 2008
Sorry I am in error on the storage question. I do have limited storage
on some of my systems and depending on my rules
and what is running on the systems this could cause an issue. Presently I
am using the S.T.I.G. recommendations but I may
have to use more extensive rules which I am in the process of testing.
Thanks for the reply Steve.
Inactive hide details for Steve Grubb <sgrubb at redhat.com>Steve Grubb
<sgrubb at redhat.com>
On Friday 31 October 2008 14:21:12 David Flatley wrote:
> If you would indulge my simpler in comparison question of the group.
I
> am setting up audit on heavy usage systems. I have setup my auditd.conf
to
> rotate the files once they get to 70 meg and allow up to 12 rotated
files.
You don't need to limit the files to 12 unless you are short on disk space.
you can use keep_logs as the max_log_file option and one will not be lost.
Disk space is not a problem if the day's logging is collected and stored,
which is required,
> I created a cron that runs hourly to look and see if a ninth rotated file
> exists and if so run "ausearch -i" outputted to a file and store the
> file,
You shouldn't need to ausearch the file? Are you doing that to split the
file
on a time hack? In that case you can just about as easily do a "service
auditd rotate" and force auditd to end at a certain time rather than by
size.
Yes and then I could use ausearch -if <file> when I need to look at the
logs
after they have been moved to storage. Or apply the ausearch -i when I do
the
storage of the file, I do this to convert from numerical to text on the
file.
> then remove the rotated files. I run the cron to avoid losing data if
> there is alot of activity and rotated files are rolled off. I also have
to
> balance performance with auditing in this arrangement.
Perhaps we need the capability of switching out partitions used for
logging?
Maybe that could be solved by using the space left action exec capability
to
run a custom program that re-writes the audit config file or changes a
symlink to point to another config file to point to a new dir and then
sends
sighup to the parent (auditd).
Maybe some others have ideas about how they solve the same problem. If we
need
to make changes to the audit daemon to make this smoother, let me know
what's
needed.
-Steve
--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081102/f505458b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20081102/f505458b/attachment.gif>
More information about the Linux-audit
mailing list