I don't know what's going on, but this stuff still isn't working.
Thanks for the help MartinR; I am going to employ what I know does actually work - my script.
[SOLVED] audit.log and logrotate with bzip2 command
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
Re: audit.log and logrotate with bzip2 command
Thanks,
War
War
Re: [STOPPED] audit.log and logrotate with bzip2 command
If you are testing be careful that logrotate can create the file. If you run twice today the second attempt must fail since audit.log-20160527 already exists. I was working on a test machine and simply renamed it to audit.log-20160526, but if you are on a live machine you ought not to be allowed to damage the audit trail.
Re: [STOPPED] audit.log and logrotate with bzip2 command
Hello warron.french,
why are you usung logrotate?
See /etc/auditd/auditd.conf in CentOS 6.8:
num_logs=2
max_log_file=50M
max_log_file_action=rotate
That will use 2 audit.logs, with maximum of 50megabytes and rotate if 50M is reached.
Best regards
why are you usung logrotate?
See /etc/auditd/auditd.conf in CentOS 6.8:
num_logs=2
max_log_file=50M
max_log_file_action=rotate
That will use 2 audit.logs, with maximum of 50megabytes and rotate if 50M is reached.
Best regards
- warron.french
- Posts: 616
- Joined: 2014/03/27 20:21:58
Re: [STOPPED] audit.log and logrotate with bzip2 command
oelk sorry it took over 12 months to get back to you on this. I obviously don't need this information anymore; however, you mentioned something I already knew. Also, I learned of a better tool for managing the audit.log rotation task - the use of a script distributed with both RHEL and also Centos, auditd.cron. This file is found under the path /usr/share/doc/audit-version.oelk wrote:Hello warron.french,
why are you usung logrotate?
See /etc/auditd/auditd.conf in CentOS 6.8:
num_logs=2
max_log_file=50M
max_log_file_action=rotate
That will use 2 audit.logs, with maximum of 50megabytes and rotate if 50M is reached.
Best regards
Placing that script somewhere like /usr/sbin and adding a cronjob to the Root crontab or the general system /etc/crontab file would help manage the logrotation time-of-day attribute.
After that is handled, I still don't really know about compressing the logs, but it wouldn't have been necessary anymore.
Thanks,
War
War