space_left_action=exec only works once?

Bond Masuda bond.masuda at jlbond.com
Thu Jan 26 20:14:25 UTC 2017 

Thanks for the alternative Stephen. Actually, I already have one that 
seems to work by using incrond to monitor for new log files in 
/var/log/audit and running my script when a new log file appears. My 
script searches for uncompressed logs that end in a audit.log.* and 
compresses those and moves them. I have auditd set to keep_logs at 64MB 
each. This seems to work in terms of keeping the /var/log/audit 
partition space from filling up too much when we get lots of audit logs. 
I plan to use this method unless the native auditd mechanism can be made 
to work for this use case.

Bond


On 01/26/2017 12:08 PM, Stephen Buchanan wrote:
> My thought: If Steve is able to help you fix the behavior, then great. 
> Otherwise, pivot.
>
> Instead of using the space_left_action in auditd, use logrotate and 
> have it check for max log size. Put your script in the postrotate 
> section if more logic than what is provided with logrotate is needed.
>
> Stephen
>
> On Thu, Jan 26, 2017 at 2:41 PM Bond Masuda <bond.masuda at jlbond.com 
> <mailto:bond.masuda at jlbond.com>> wrote:
>
>     Thanks Steve for the suggestion. Unfortunately, even with my script
>     sending USR2 to auditd, i still get the same behavior where the
>     space_left_action=exec call to the script only happens once.
>
>     Thoughts?
>     Bond
>
>
>     On 01/25/2017 10:22 PM, Steve Grubb wrote:
>     > Hello,
>     >
>     > On Wed, 25 Jan 2017 15:06:50 -0800
>     > Bond Masuda <bond.masuda at jlbond.com
>     <mailto:bond.masuda at jlbond.com>> wrote:
>     >> I configured space_left and space_left_action to run a script that
>     >> compresses and moves older audit log files from /var/log/audit. It
>     >> appears to work 1 time, and then doesn't work anymore until I kill
>     >> the auditd daemon and start it again.
>     >>
>     >> Is this expected and/or desired behavior? I didn't see anything in
>     >> the man pages about this behavior. I was hoping to have my
>     script run
>     >> every time the space_left threshold is hit so as to not run out of
>     >> logging disk space. Is there something I can do to accomplish this?
>     > You may need to send SIGUSR2 to `pidof auditd` to reset the internal
>     > counters. Let me know if that does not fix it.
>     >
>     > -Steve
>
>     --
>     Linux-audit mailing list
>     Linux-audit at redhat.com <mailto:Linux-audit at redhat.com>
>     https://www.redhat.com/mailman/listinfo/linux-audit
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170126/962b3373/attachment.htm>

More information about the Linux-audit mailing list