Clarification on log rotation
Andreas Hasenack
andreas at canonical.com
Mon Nov 23 14:21:56 UTC 2020
Hi,
I'm checking auditd's native logrotation mechanism.
The auditd.conf manpage states this for num_logs:
"The excess log check is only done on startup and when a
reconfigure results in a space check."
I kept generating events, and truth be told, no rotation happened once
the logfile size was above max_log_file. At least not after a few
minutes.
When does a space check happens, besides on a restart? Just external
events likg SIGUSR1 and perhaps SIGHUP?
Since these are external events, how do sysadmins deal with log
rotation: completely ignore auditd's native mechanism and setup
logrotate as usual?
More information about the Linux-audit
mailing list