From: Daniel J Walsh <dwalsh@redhat.com>
To: Mike Williams <dmikewilliams@gmail.com>
Cc: linux-audit@redhat.com, selinux@lists.fedoraproject.org
Subject: Re: audit log not being rotated
Date: Tue, 07 Sep 2010 10:55:18 -0400 [thread overview]
Message-ID: <4C865256.10304@redhat.com> (raw)
In-Reply-To: <AANLkTin9o2OWOxFQjkfv96YFyvxLkJ87rvNyLV_gmSH_@mail.gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/04/2010 02:30 PM, Mike Williams wrote:
> On Sat, Sep 4, 2010 at 1:52 PM, Dominick Grift <domg472@gmail.com> wrote:
>
>> On Sat, Sep 04, 2010 at 01:24:33PM -0400, Mike Williams wrote:
>>>
>>> Any idea why one box out of three would behave differently? It is a
>>> worrisome difference.
>>
>> Audit does not use logrotate to rotate logs. I think it does that itself.
>> See /etc/audit/auditd.conf
>> Also the log can be rotated by running the auditd rc script: service auditd
>> rotate
>>
>>
> After lots of digging and, confirmed by your response, I now realize that
> logrotate is not being used. The cron file I mentioned uses the command you
> mentioned (service auditd rotate) to rotate the logs.
>
> I just compared /etc/auditd.conf and /etc/audit.rules on the system that was
> not rotating logs with one of the ones that has been rotating audit.log and
> they are identical.
>
> So, for me, my original question remains a puzzle. Why did it just work on
> two out of three boxes, but require adding a cron job to do "service auditd
> rotate" on the the third. Murphy's Law is in force here, the system that
> has not been rotating the logs is the one that is the most important, at
> least in terms of the number of people who use it.
>
> Mainly I'm concerned about what will happen on the update to f14, since the
> misbehaving system is now fixed.
>
> Mike
>
>
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I would ask on the audit list.linux-audit@redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyGUlYACgkQrlYvE4MpobO2PgCbBarqt+aP+DFjo8/1IjwyY4sr
xfMAoL3zY1LvfoKNQtguhD5CGcLHxiUU
=kKWv
-----END PGP SIGNATURE-----
next parent reply other threads:[~2010-09-07 14:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AANLkTikbAvTp0cNSAuJKzYwZwvZjTaREzUZ+Tq-JJ1Oa@mail.gmail.com>
[not found] ` <20100904175226.GB26899@localhost.localdomain>
[not found] ` <AANLkTin9o2OWOxFQjkfv96YFyvxLkJ87rvNyLV_gmSH_@mail.gmail.com>
2010-09-07 14:55 ` Daniel J Walsh [this message]
2010-09-07 15:25 ` audit log not being rotated Mike Williams
2010-09-07 19:40 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C865256.10304@redhat.com \
--to=dwalsh@redhat.com \
--cc=dmikewilliams@gmail.com \
--cc=linux-audit@redhat.com \
--cc=selinux@lists.fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.