corrupted checkpoint

MAUPERTUIS, PHILIPPE philippe.maupertuis at equensworldline.com
Fri Feb 28 15:33:58 UTC 2020 

Hi,
I should have read the man more carefully, I missed the checkpoint option on –ts ☹
I agree it would be better to have one directory per host.
With hosts added dynamically I need to find a way to automate the log rotation and the cyclic ausearch
Anyway, I saved my day.
Thanks a lot
Philippe

De : Burn Alting [mailto:burn.alting at iinet.net.au]
Envoyé : vendredi 28 février 2020 14:03
À : MAUPERTUIS, PHILIPPE; linux-audit at redhat.com
Objet : Re: corrupted checkpoint

Phillippe,

From man ausearch ..
     -ts, --start [start-date] [start-time]
              Search for events with time stamps equal to or after the given start time. The format of start time depends on your locale. You can check the format of your locale by running  date  '+%x'.   If  the
              date  is  omitted,  today  is  assumed.  If  the  time  is  omitted,  midnight is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is
              09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable.

              You may also use the word: now, recent, boot, today, yesterday, this-week, week-ago, this-month, this-year, or checkpoint. Boot means the time of day to the second when the system last booted. Today
              means  starting  at  1  second  after midnight. Recent is 10 minutes ago. Yesterday is 1 second after midnight the previous day. This-week means starting 1 second after midnight on day 0 of the week
              determined by your locale (see localtime). Week-ago means starting 1 second after midnight exactly 7 days ago. This-month means 1 second after midnight on day 1 of the month. This-year means  the  1
              second after midnight on the first day of the first month.

              checkpoint  means  ausearch  will  use the timestamp found within a valid checkpoint file ignoring the recorded inode, device, serial, node and event type also found within a checkpoint file. Essen‐
              tially, this is the recovery action should an invocation of ausearch with a checkpoint option fail with an exit status of 10, 11 or 12. It could be used in a shell script something like:

                   ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i
                   _au_status=$?
                   if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12
                   then
                     ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i
                   fi


That said, rather than sending events from multiple hosts to a single combined file, I would strongly recommend one maintain multiple files, one per host. The most recent change to the ausearch checkpoint code addressed this. So
given a directory structure like say,
  repository/
  repository/year/
  repository/year/month
  repository/year/month/day
  repository/year/month/day/hosta/auditd.log
  repository/year/month/day/hostb/auditd.log
  repository/year/month/day/hostc/auditd.log
  ...
  repository/year/month/day/hostN/auditd.log

one could orchestrate a script that run's multiple ausearch commands along the lines of
ausearch -if repository/year/month/day/hosta/auditd.log --checkpoint .../hosta.chkpt ...
ausearch -if repository/year/month/day/hostb/auditd.log --checkpoint .../hostb.chkpt ...

etc


On Fri, 2020-02-28 at 10:46 +0000, MAUPERTUIS, PHILIPPE wrote:
Hi
I set a cron job script to perform ausearch every 5 minutes  on a central log server.
The logs from various hosts are received together in the same file
The logs are rotated on a daily basis
Everything ran fine for several days, then suddently I got :
Corrupted checkpoint file. Inode match, but newer complete event (1582684501.003:48035) found before loaded checkpoint 1582684346.999:48034
The events are :
checkpoint
audit.log.3: node=xxxxxxxx type=USER_END msg=audit(1582684346.999:48034): pid=15666 uid=0 auid=0
newer event
audit.log.2: node= xxxxxxxx type=USER_ACCT msg=audit(1582684501.003:48035): pid=16000
I  guess the problem is due to the log rotation since the two messages are coming from the same host.
I have a few  questions
When it happens how can I restart the process ?
Is there a way to restart ausearch from the newer event ?
How could I extract the events between the checkpoint and the newer event ?
The checkpoint file contains :
dev=0xFD03
inode=1048581
output=xxxxxxxx 1582770601.342:380885 0x456

What is this : 0x456 ?
How can I find the value for a given event ?

Philippe


Worldline and equensWorldline are a registered trademarks and trading names owned by Worldline Group.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email

--

Linux-audit mailing list
<mailto:Linux-audit at redhat.com>

Linux-audit at redhat.com<mailto:Linux-audit at redhat.com>



<https://www.redhat.com/mailman/listinfo/linux-audit>

https://www.redhat.com/mailman/listinfo/linux-audit


Worldline and equensWorldline are a registered trademarks and trading names owned by Worldline Group.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200228/78d956af/attachment.htm>

More information about the Linux-audit mailing list