All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: Linux-audit@redhat.com, Andreas Hasenack <andreas@canonical.com>
Subject: Re: Clarification on log rotation
Date: Mon, 23 Nov 2020 11:05:41 -0500	[thread overview]
Message-ID: <2063648.irdbgypaU6@x2> (raw)
In-Reply-To: <CANYNYEE1kBF1mDFUGhd7uJUHX8Bth9Qmhk0WKE4V+nNaYCnz0w@mail.gmail.com>

On Monday, November 23, 2020 9:21:56 AM EST Andreas Hasenack wrote:
> I'm checking auditd's native logrotation mechanism.
> 
> The auditd.conf manpage states this for num_logs:
> 
> "The excess log check  is  only  done  on startup and when a
> reconfigure results in a space check."
> 
> I kept generating events, and truth be told, no rotation happened once
> the logfile size was above max_log_file. At least not after a few
> minutes.

Rotation is different than excess log checks. Log size checking is done every 
write. But this is only done when the daemon is not in debug mode and  
write_logs is not 0 and max_log_size_action is rotate and num_logs > 1.

> When does a space check happens, besides on a restart? Just external
> events likg SIGUSR1 and perhaps SIGHUP?

Every 3 writes.

> Since these are external events, how do sysadmins deal with log
> rotation: completely ignore auditd's native mechanism and setup
> logrotate as usual?

Generally people fall into 3 camps. The first camp is they correctly configure 
the native implementation and just use it. The second camp need something 
special. They either set max_log_size_action to keeplogs and then handle it 
on a cron job where that may use checkpointing. And yet another group just 
sends events to syslog and handle it via splunk or elastic search.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


      reply	other threads:[~2020-11-23 16:05 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-23 14:21 Clarification on log rotation Andreas Hasenack
2020-11-23 16:05 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2063648.irdbgypaU6@x2 \
    --to=sgrubb@redhat.com \
    --cc=Linux-audit@redhat.com \
    --cc=andreas@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.