question

[Steve Grubb]

On Friday 31 October 2008 14:21:12 David Flatley wrote:
>     If you would indulge my simpler in comparison question of the group. I
> am setting up audit on heavy usage systems. I have setup my auditd.conf to
> rotate the files once they get to 70 meg and allow up to 12 rotated files.

You don't need to limit the files to 12 unless you are short on disk space. 
you can use keep_logs as the max_log_file option and one will not be lost.


> I created a cron that runs hourly to look and see if a ninth rotated file
> exists and if so run "ausearch -i" outputted to a file and store the
> file,

You shouldn't need to ausearch the file? Are you doing that to split the file 
on a time hack? In that case you can just about as easily do a "service 
auditd rotate" and force auditd to end at a certain time rather than by size.


> then remove the rotated files. I run the cron to avoid losing data if 
> there is alot of activity and rotated files are rolled off. I also have to
> balance performance with auditing in this arrangement.

Perhaps we need the capability of switching out partitions used for logging? 
Maybe that could be solved by using the space left action exec capability to 
run a custom program that re-writes the audit config file or changes a 
symlink to point to another config file to point to a new dir and then sends 
sighup to the parent (auditd).

Maybe some others have ideas about how they solve the same problem. If we need 
to make changes to the audit daemon to make this smoother, let me know what's 
needed.

-Steve