run script after auditd rotates logs

Joe Wulf joe_wulf at yahoo.com
Sun Mar 19 02:17:26 UTC 2023 

 Here is what I've done to manage audit log files in systems I build.You can leverage this, and add your other things after the 'service auditd rotate'.Would that work for you?
-Joe

#!/bin/bash

# Reference:  https://access.redhat.com/solutions/661603
PATH='/sbin:/bin:/usr/sbin:/usr/bin'

# auditd log rotation -- This file located in /etc/cron.daily/auditd.cron

FORMAT='+%Y%m%d_%H%M%S'  # Customize timestamp format as desired, per 'man date'.
COMPRESS='gzip'          # Change to bzip2 or xz, if desired.
Cext='gz'                # Change to match file EXTENSION for the compression used.
KEEP=10                  # Number of compressed log files to keep.
ROTATE_TIME=30           # Amount of time in seconds to wait for auditd to rotate its logs; adjust this as necessary.

function rename_and_compress_old_logs() { for file in $(find /var/log/audit/ -type f -regextype posix-extended -regex  '.*audit.log.[0-9]{1,}$'); do
                                              timestamp="$(ls -l --time-style=${FORMAT} ${file} | awk '{print $6}')"
                                              newfile="${file%.[0-9]}.${timestamp}"
                                              mv ${file} ${newfile}
                                              ${COMPRESS} -9 ${newfile}
                                          done; }

function delete_old_compressed_logs() { rm -f $(find /var/log/audit/ -regextype posix-extended -regex '.*audit\.log\..*(xz|gz|bz2)$' | sort -n | head -n -${KEEP}) 2>/dev/null; }

rename_and_compress_old_logs

service auditd rotate
EV="$?"
if [ "${EV}" != 0 ]; then
     /usr/bin/logger -t auditd "FAILURE ALERT from /etc/cron.daily/auditd.cron 'service auditd rotate' exited ABNORMALLY with exit value(${EV})."
else
     /usr/bin/logger -t auditd "cron.daily:  Successful rotation of: /var/log/audit/audit.log."
fi

sleep ${ROTATE_TIME}
rename_and_compress_old_logs
chmod 0600 /var/log/audit/audit.log
chmod 0400 /var/log/audit/audit.log*.${Cext}
delete_old_compressed_logs
unset FORMAT COMPRESS Cext KEEP ROTATE_TIME file timestamp newfile EV

exit 0






    On Saturday, March 18, 2023 at 10:57:23 AM EDT, Christiansen, Edward - 0992 - MITLL <edwardc at ll.mit.edu> wrote:  
 
 I would like to know if there is a way to tell auditd to run a script or 
command after it rotates its logs.  I can do this with logrotate, but would 
much prefer something native to auditd.  I spent some toime with Google and 
found only logrotate solutions.

Thanks,

Ed Christiansen
Millstone Hill SysAdmin
--
Linux-audit mailing list
Linux-audit at redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20230319/fbd68863/attachment.htm>

More information about the Linux-audit mailing list