[SOLVED] audit.log and logrotate with bzip2 command

Issues related to applications and software problems
User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: audit.log and logrotate with bzip2 command

Post by warron.french » 2016/05/27 12:04:09

I don't know what's going on, but this stuff still isn't working.

Thanks for the help MartinR; I am going to employ what I know does actually work - my script.
Thanks,
War

MartinR
Posts: 714
Joined: 2015/05/11 07:53:27
Location: UK

Re: [STOPPED] audit.log and logrotate with bzip2 command

Post by MartinR » 2016/05/27 12:08:57

If you are testing be careful that logrotate can create the file. If you run twice today the second attempt must fail since audit.log-20160527 already exists. I was working on a test machine and simply renamed it to audit.log-20160526, but if you are on a live machine you ought not to be allowed to damage the audit trail.

oelk
Posts: 4
Joined: 2016/09/28 12:04:13

Re: [STOPPED] audit.log and logrotate with bzip2 command

Post by oelk » 2016/09/29 21:30:44

Hello warron.french,

why are you usung logrotate?

See /etc/auditd/auditd.conf in CentOS 6.8:
num_logs=2
max_log_file=50M
max_log_file_action=rotate

That will use 2 audit.logs, with maximum of 50megabytes and rotate if 50M is reached.

Best regards

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: [STOPPED] audit.log and logrotate with bzip2 command

Post by warron.french » 2017/11/05 07:03:01

oelk wrote:Hello warron.french,

why are you usung logrotate?

See /etc/auditd/auditd.conf in CentOS 6.8:
num_logs=2
max_log_file=50M
max_log_file_action=rotate

That will use 2 audit.logs, with maximum of 50megabytes and rotate if 50M is reached.

Best regards
oelk sorry it took over 12 months to get back to you on this. I obviously don't need this information anymore; however, you mentioned something I already knew. Also, I learned of a better tool for managing the audit.log rotation task - the use of a script distributed with both RHEL and also Centos, auditd.cron. This file is found under the path /usr/share/doc/audit-version.

Placing that script somewhere like /usr/sbin and adding a cronjob to the Root crontab or the general system /etc/crontab file would help manage the logrotation time-of-day attribute.

After that is handled, I still don't really know about compressing the logs, but it wouldn't have been necessary anymore.
Thanks,
War

Post Reply