Re: Log rotation and client disconnects

All of lore.kernel.org
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: rshaw1@umbc.edu
Cc: linux-audit@redhat.com
Subject: Re: Log rotation and client disconnects
Date: Thu, 12 Aug 2010 10:57:20 -0500	[thread overview]
Message-ID: <1281628640.3694.29.camel@lcb> (raw)
In-Reply-To: <45921.128.63.24.134.1281626211.squirrel@webmail.umbc.edu>

On Thu, 2010-08-12 at 11:16 -0400, rshaw1@umbc.edu wrote:
> > On Thursday, August 12, 2010 10:02:29 am rshaw1@umbc.edu wrote:
> >> I've discovered the issue since I sent it, anyway.  If num_logs is set
> >> to
> >> 0, auditd will ignore explicit requests to rotate the logs.  I guess
> >> this
> >> may be intentional, but it's unfortunate as num_logs caps at 99 and I
> >> need
> >> to keep 365 of them.
> >
> > Have you looked at the keep_logs option for max_log_file_action?
> 
> I did, but the man page states that keep_logs is similar to rotate, so it
> sounds like if I used this option, it would still rotate the log file if
> it went above the max_log_file size, which I don't want to happen.  I
> suppose I could just set max_log_file to 99999 or something (if that's
> supported).  Typically, uncompressed log files for ~400 clients on the
> central server end up being around 3-4Gb.
> 
> Thanks for all the help so far; I think I'm almost there.
> 
> --Ray

Do you not want to rotate because of the time it takes?
Yep, the keep_logs does a rotate without a limit.

The max_log_file value is an unsigned long so it should take a very
large number. However, in case there is a lot of auditing you are not
prepared for, I'd suggest limiting the file size to 2GB. The rotate time
should be similar regardless of the file size.

BTW, in what a time period are you getting the 3-4GB amounts? Are you
happy with the data you are getting - or maybe you could pare it down
some with audit.rules tweaks on the senders?

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next prev parent reply	other threads:[~2010-08-12 15:57 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-09 16:59 Log rotation and client disconnects rshaw1
2010-08-09 17:53 ` Steve Grubb
2010-08-12 14:02   ` rshaw1
2010-08-12 14:25     ` Steve Grubb
2010-08-12 15:16       ` rshaw1
2010-08-12 15:57         ` LC Bruzenak [this message]
2010-08-13 15:06           ` rshaw1
2010-08-13 15:38             ` LC Bruzenak
2010-08-12 14:31     ` LC Bruzenak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1281628640.3694.29.camel@lcb \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    --cc=rshaw1@umbc.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.