Re: Log rotation issue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: David Flatley <dflatley@us.ibm.com>
Cc: linux-audit@redhat.com
Subject: Re: Log rotation issue
Date: Fri, 3 Jan 2014 11:04:33 -0500	[thread overview]
Message-ID: <20140103110433.70078cd9@ivy-bridge> (raw)
In-Reply-To: <OF4B7BCB87.643C745C-ON85257C55.0055B4F3-85257C55.0056BF81@us.ibm.com>

On Fri, 3 Jan 2014 10:47:31 -0500
David Flatley <dflatley@us.ibm.com> wrote:

>     Run audit on dozens of systems but this one system (Red Hat 6.4
> 64 bit server Audit 2..2.2 ) does a strange thing. We use
> "/sbin/service auditd rotate" as part of a script that runs
> in /etc/cron.daily to do the audit extractions. When
> the /etc/audit/audit.log is rotated,

/var/log/audit/audit.log I presume?


> all the entries in the log after
> rotation have their date as 12/31/1969 19:00.

Have you opened the log with vi and looked to see what the
date/timestamp is? I am wondering if its written that way or
interpreted that way.


> And on top of this
> there is a bunch of audit entries. Reviewing the log and the entries
> go along normally but when it does this date thing the log blows up
> in size. This is the same audit config I run on all the other RHEL 6
> systems. My understanding is that when auditd rotates the logs that
> there should not be any further entries in the rotated log.

Correct. The first thing it does is mark the log file readonly:
https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L701

If you are getting this, look down around line 776 in the above
referenced source code. It shows that you should be getting a message
logged into syslog that explains why rotation failed.

-Steve

     prev parent reply	other threads:[~2014-01-03 16:04 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-03 15:47 Log rotation issue David Flatley
2014-01-03 16:04 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140103110433.70078cd9@ivy-bridge \
    --to=sgrubb@redhat.com \
    --cc=dflatley@us.ibm.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.