audit rotate question
John Dennis
jdennis at redhat.com
Wed May 20 19:13:02 UTC 2009
LC Bruzenak wrote:
> If I do a "service auditd rotate" it just sends the auditd the USR1
> signal which means "start the rotation".
>
> On a slow/burdened machine with many files this is not immediate.
>
> I am trying to run a cron job which will :
>
> mkdir /var/log/audit-archive/
> service auditd rotate
> mv /var/log/audit/audit.log.* /var/log/audit-archive/
>
> But the files listed are not through rotating so it has issues (file not
> found, leaves behind the last one rotated - audit.log.1, etc.).
>
> How can I tell when the rotate is complete so I can move the files out?
> I'm sure there is a simple way but I cannot see it.
Set an inotify watch on the *directory*, you'll be able to see when the
files are renamed and created. The package inotify-tools may be of help,
there are also inotify python bindings. If neither of those work for you
I can send C you code which will perform the inotify watch.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Linux-audit
mailing list