Re: Log rotation and client disconnects

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Log rotation and client disconnects
Date: Thu, 12 Aug 2010 10:25:59 -0400	[thread overview]
Message-ID: <201008121025.59525.sgrubb@redhat.com> (raw)
In-Reply-To: <58805.128.63.24.134.1281621749.squirrel@webmail.umbc.edu>

On Thursday, August 12, 2010 10:02:29 am rshaw1@umbc.edu wrote:
> I've discovered the issue since I sent it, anyway.  If num_logs is set to
> 0, auditd will ignore explicit requests to rotate the logs.  I guess this
> may be intentional, but it's unfortunate as num_logs caps at 99 and I need
> to keep 365 of them.

Have you looked at the keep_logs option for max_log_file_action?


> I suppose that since I'll have to rename and bzip
> them anyway, I may as well just move them to another location (maybe
> /var/log/audit/archive) so that auditd doesn't "see" them, unless there's
> a better way to do this.

Yes, you should archive them away since by being in /var/log/audit, they are 
used in calculating the log space left. 

 
> I'm still not sure what to do about the disconnection issues (although
> hopefully those will be very infrequent once I'm no longer restarting any
> of the daemons).  If a client does lose the connection to the server for a
> while though (say, an hour-long network outage for networking upgrades),
> I'd like to be able to tell them to try reconnecting periodically, and the
> combination of network_retry_time and max_tries_per_record doesn't seem to
> be the way to do that.
> 
> Other than checking the logs, is there a way to determine whether or not a
> running audispd is connected to the remote server?

It logs this. Also I suppose you could peek into its open descriptors with 
lsof or just checking in /proc.

-Steve

next prev parent reply	other threads:[~2010-08-12 14:25 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-09 16:59 Log rotation and client disconnects rshaw1
2010-08-09 17:53 ` Steve Grubb
2010-08-12 14:02   ` rshaw1
2010-08-12 14:25     ` Steve Grubb [this message]
2010-08-12 15:16       ` rshaw1
2010-08-12 15:57         ` LC Bruzenak
2010-08-13 15:06           ` rshaw1
2010-08-13 15:38             ` LC Bruzenak
2010-08-12 14:31     ` LC Bruzenak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201008121025.59525.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.