[SOLVED] audit.log and logrotate with bzip2 command

[warron.french]

I am having problems on 2 levels with logrotate.

I am trying to accomplish the following assignment:

1. 1. Rotate the /var/log/audit.log file if it hits 5MB (I will actually use a different size) in size (so that I can burn it to DvD and move it off of the HDD; there is not other option)

• 2. Also, if Monday morning 12:01am hits, rotate the log file even if the files is 1K in size; and

• 3. In either case mentioned above compress the file using bzip2 -9 to reduce its size on local disk

I have created the file /etc/logrotate.d/audit; with the following contents:
/var/log/audit/audit.log
{
weekly
dateext
compresscmd /usr/bin/bzip2
compressext .bz2
missingok
rotate 12
maxsize 5242880
sharedscripts
create 0600 root root
postrotate
/sbin/service auditd rotate
endscript
}



I have altered the /var/audit/auditd.conf value called max_log_file = 4096 (megabytes by the way).

So, after "configuring" all of this I executed the command: logrotate /etc/logrotate.d/audit
, but nothing actually happens - the file isn't rotated, there is no response on the screen except that the PS1 prompt returns, and I don't see anything in any logfiles anywhere.

Please help. I need to be able to rotate the audit.log file so that it it smaller than a DvD-media (hence the 4GB I want to use) and I want to deliberately rotate at the first minute of Monday every week so that I can archive the audit.log files from the past week (or month) and maintain space on the server and the workstations.

P.S. I am also centrally logging audit-data to the server and with success already; this is a precautionary measure to comply with some IT Governance rules and still maintain the system.


Thanks,

[MartinR]

From the man page:

Code: Select all

       -f, --force
              Tells logrotate to force the rotation, even if it doesn’t  think
              this  is  necessary.   Sometimes this is useful after adding new
              entries to a logrotate config file, or if  old  log  files  have
              been removed by hand, as the new files will be created, and log-
              ging will continue correctly.

Also use -v to get lots of information about what logrotate is up to.

[warron.french]

MartinR, thanks for replying.

I think I just realized I didn't do a 100% detail disclosure like I though I had.

When I run the logrotate command manually on the command line, the file does get rotated, but not with the bzip2 command and its options "-9" will the -f switch to the logrotate command help? Will it work better with the cronjob?

Is the fact that I created a /etc/logrotate.d/audit file with the specifications inside it enough; how to do I get logrotate itself to engage in the process through a cronjob? Because I see that there is a /etc/cron.daily/logrotate scripts and it performs /usr/sbin/logrotate /etc/logrotate.conf command.

I am wondering if my script is being skipped based on some sort of subtleties that I might not fully understand.

Thanks in advance,

[MartinR]

You'll need to post /etc/logrotate.conf as well. The globals therein will also affect the stanza you quoted. Specifically I'm looking for delaycompress which does not compress the just-rotated log, only older ones. Use -v on one (or both) commands and post the output, then we can see what logrotate thinks it is doing. You might also check that /usr/bin/bzip2 is both there and usable.

[TrevorH]

Also there is/was a bug in the gluster logrotate config file as shipped until recently that had a bunch of stuff in it that became a global setting by mistake. That should be corrected in 6.8.

[warron.french]

Also there is/was a bug in the gluster logrotate config file as shipped until recently that had a bunch of stuff in it that became a global setting by mistake. That should be corrected in 6.8.

Oh, is CentOS-6.8 out now? I have been looking for it since Red Hat released 6.8 recently.

[TrevorH]

6.8 has been in the CR repo for at least a week and the main release happened last night.

[warron.french]

You'll need to post /etc/logrotate.conf as well. The globals therein will also affect the stanza you quoted. Specifically I'm looking for delaycompress which does not compress the just-rotated log, only older ones. Use -v on one (or both) commands and post the output, then we can see what logrotate thinks it is doing. You might also check that /usr/bin/bzip2 is both there and usable.

The original system is in a classified environment; but the file hasn't been altered from factory settings (until about 5 minutes ago):
Here are the Contents of my 'old' /etc/logrotate.conf file before I added my changes from the /etc/logrotate.d/audit file into it:

[root@server1 etc]# cat logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# create new (empty) log files after rotating old ones
create

# use date as a suffix of the rotated file
dateext

# uncomment this if you want your log files compressed
#compress

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d

# no packages own wtmp and btmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}

/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}

# system-specific logs may be also be configured here.
<the section below was only added 5 minutes ago; before I saw your replies (to include both MartinR and TrevorH)
/var/log/audit/audit.log
{
dateext
missingok
rotate 12
size 320832
create 0600 root root
sharedscripts
postrotate
/sbin/service auditd rotate
endscript
}

You asked for the -v in association with one or both of the commands. Do you mean you would like to see the results of:
logrotate -vf /etc/logrotate.conf ?

[MartinR]

When I run the logrotate command manually on the command line, the file does get rotated, but not with the bzip2 command and its options "-9" will the -f switch to the logrotate command help? Will it work better with the cronjob?

Start with

Code: Select all

 # logrotate -vf /etc/logrotate.d/audit

which will keep the output to a minimum. As an example I copied your audit logrotate to a test machine:

Code: Select all

# ls /var/log/audit
audit.log  audit.log.1  audit.log.2  audit.log.3  audit.log.4
# logrotate -vf  /etc/logrotate.d/audit
reading config file /etc/logrotate.d/audit
reading config info for /var/log/audit/audit.log

compress_prog is now /usr/bin/bzip2
compress_ext is now .bz2

Handling 1 logs

rotating pattern: /var/log/audit/audit.log
 forced from command line (12 rotations)
empty log files are rotated, log files >= 0 are rotated earlier, old logs are removed
considering log /var/log/audit/audit.log
  log needs rotating
rotating log /var/log/audit/audit.log, log->rotateCount is 12
dateext suffix '-20160527'
glob pattern '-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]'
glob finding old rotated logs failed
fscreate context set to system_u:object_r:auditd_log_t:s0
renaming /var/log/audit/audit.log to /var/log/audit/audit.log-20160527
creating new /var/log/audit/audit.log mode = 0600 uid = 0 gid = 0
running postrotate script
Rotating logs:                                             [  OK  ]
set default create context
# ls /var/log/audit
audit.log    audit.log.2         audit.log.3
audit.log.1  audit.log-20160527  audit.log.4

Note that it does not tell you it is compressing, only rotating. If you add the command "compress" to your /etc/logrotate.d/audit then the end of the log looks like:

Code: Select all

Rotating logs:                                             [  OK  ]
compressing log with: /usr/bin/bzip2
set default create context

and the file is compressed. You were telling it how to compress, but were not telling it to compress:

Code: Select all

...
compresscmd /usr/bin/bzip2
compressext .bz2
compress
missingok
...

[warron.french]

OK, so I still have to explicitly use the command compress, along with specifying the compresscmd /usr/bin/bzip2 and
set the compression extension to .bz2.

I misunderstood the compress command, because

compress
Old versions of log files are compressed with gzip(1) by default. See also nocompress. Doesn't exactly state ('this will compress') to me it implied it was setting the compress command to gzip, and executing it.

I wrote a whole shell script working around the possibility of a bug; and now I have your much more effective and straightforward solution.

I am testing your corrections. Thank you sincerely, and I will let you know how they turned out for me.