Re: audit log not being rotated

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Mike Williams <dmikewilliams@gmail.com>, selinux@lists.fedoraproject.org
Subject: Re: audit log not being rotated
Date: Tue, 7 Sep 2010 15:40:33 -0400	[thread overview]
Message-ID: <201009071540.33586.sgrubb@redhat.com> (raw)
In-Reply-To: <4C865256.10304@redhat.com>

On Tuesday, September 07, 2010 10:55:18 am Daniel J Walsh wrote:
> > So, for me, my original question remains a puzzle.  Why did it just work
> > on two out of three boxes, but require adding a cron job to do "service
> > auditd rotate" on the the third.  Murphy's Law is in force here, the
> > system that has not been rotating the logs is the one that is the most
> > important, at least in terms of the number of people who use it.

There is no telling without access to your system. This is not a known bug in 
the audit system that is similar to what is described. So I would expect 
another explanation. Perhaps the other systems have enough events that the 
audit system is rotating the logs. The audit system rotates based on log size 
and not time of day. 

Logrotate has never been configured to do log rotation for the audit system 
because of conflicting requirements of the audit daemon needing to take special 
actions based on disk full and other errors vs simple rotation.

-Steve

     prev parent reply	other threads:[~2010-09-07 19:40 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <AANLkTikbAvTp0cNSAuJKzYwZwvZjTaREzUZ+Tq-JJ1Oa@mail.gmail.com>
     [not found] ` <20100904175226.GB26899@localhost.localdomain>
     [not found]   ` <AANLkTin9o2OWOxFQjkfv96YFyvxLkJ87rvNyLV_gmSH_@mail.gmail.com>
2010-09-07 14:55     ` audit log not being rotated Daniel J Walsh
2010-09-07 15:25       ` Mike Williams
2010-09-07 19:40       ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201009071540.33586.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=dmikewilliams@gmail.com \
    --cc=linux-audit@redhat.com \
    --cc=selinux@lists.fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.