run script after auditd rotates logs
Joe Wulf
joe_wulf at yahoo.com
Sun Mar 19 02:17:26 UTC 2023
Here is what I've done to manage audit log files in systems I build.You can leverage this, and add your other things after the 'service auditd rotate'.Would that work for you?
-Joe
#!/bin/bash
# Reference: https://access.redhat.com/solutions/661603
PATH='/sbin:/bin:/usr/sbin:/usr/bin'
# auditd log rotation -- This file located in /etc/cron.daily/auditd.cron
FORMAT='+%Y%m%d_%H%M%S' # Customize timestamp format as desired, per 'man date'.
COMPRESS='gzip' # Change to bzip2 or xz, if desired.
Cext='gz' # Change to match file EXTENSION for the compression used.
KEEP=10 # Number of compressed log files to keep.
ROTATE_TIME=30 # Amount of time in seconds to wait for auditd to rotate its logs; adjust this as necessary.
function rename_and_compress_old_logs() { for file in $(find /var/log/audit/ -type f -regextype posix-extended -regex '.*audit.log.[0-9]{1,}$'); do
timestamp="$(ls -l --time-style=${FORMAT} ${file} | awk '{print $6}')"
newfile="${file%.[0-9]}.${timestamp}"
mv ${file} ${newfile}
${COMPRESS} -9 ${newfile}
done; }
function delete_old_compressed_logs() { rm -f $(find /var/log/audit/ -regextype posix-extended -regex '.*audit\.log\..*(xz|gz|bz2)$' | sort -n | head -n -${KEEP}) 2>/dev/null; }
rename_and_compress_old_logs
service auditd rotate
EV="$?"
if [ "${EV}" != 0 ]; then
/usr/bin/logger -t auditd "FAILURE ALERT from /etc/cron.daily/auditd.cron 'service auditd rotate' exited ABNORMALLY with exit value(${EV})."
else
/usr/bin/logger -t auditd "cron.daily: Successful rotation of: /var/log/audit/audit.log."
fi
sleep ${ROTATE_TIME}
rename_and_compress_old_logs
chmod 0600 /var/log/audit/audit.log
chmod 0400 /var/log/audit/audit.log*.${Cext}
delete_old_compressed_logs
unset FORMAT COMPRESS Cext KEEP ROTATE_TIME file timestamp newfile EV
exit 0
On Saturday, March 18, 2023 at 10:57:23 AM EDT, Christiansen, Edward - 0992 - MITLL <edwardc at ll.mit.edu> wrote:
I would like to know if there is a way to tell auditd to run a script or
command after it rotates its logs. I can do this with logrotate, but would
much prefer something native to auditd. I spent some toime with Google and
found only logrotate solutions.
Thanks,
Ed Christiansen
Millstone Hill SysAdmin
--
Linux-audit mailing list
Linux-audit at redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230319/fbd68863/attachment.htm>
More information about the Linux-audit
mailing list