From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel J Walsh <dwalsh@redhat.com>
Subject: Re: audit log not being rotated
Date: Tue, 07 Sep 2010 10:55:18 -0400
Message-ID: <4C865256.10304@redhat.com>
References: <AANLkTikbAvTp0cNSAuJKzYwZwvZjTaREzUZ+Tq-JJ1Oa@mail.gmail.com>	<20100904175226.GB26899@localhost.localdomain>
	<AANLkTin9o2OWOxFQjkfv96YFyvxLkJ87rvNyLV_gmSH_@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <AANLkTin9o2OWOxFQjkfv96YFyvxLkJ87rvNyLV_gmSH_@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Mike Williams <dmikewilliams@gmail.com>
Cc: linux-audit@redhat.com, selinux@lists.fedoraproject.org
List-Id: linux-audit@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/04/2010 02:30 PM, Mike Williams wrote:
> On Sat, Sep 4, 2010 at 1:52 PM, Dominick Grift <domg472@gmail.com> wrote:
> 
>> On Sat, Sep 04, 2010 at 01:24:33PM -0400, Mike Williams wrote:
>>>
>>> Any idea why one box out of three would behave differently?  It is a
>>> worrisome difference.
>>
>> Audit does not use logrotate to rotate logs. I think it does that itself.
>> See /etc/audit/auditd.conf
>> Also the log can be rotated by running the auditd rc script: service auditd
>> rotate
>>
>>
> After lots of digging and, confirmed by your response, I now realize that
> logrotate is not being used.  The cron file I mentioned uses the command you
> mentioned (service auditd rotate) to rotate the logs.
> 
> I just compared /etc/auditd.conf and /etc/audit.rules on the system that was
> not rotating logs with one of the ones that has been rotating audit.log and
> they are identical.
> 
> So, for me, my original question remains a puzzle.  Why did it just work on
> two out of three boxes, but require adding a cron job to do "service auditd
> rotate" on the the third.  Murphy's Law is in force here, the system that
> has not been rotating the logs is the one that is the most important, at
> least in terms of the number of people who use it.
> 
> Mainly I'm concerned about what will happen on the update to f14, since the
> misbehaving system is now fixed.
> 
> Mike
> 
> 
> 
> 
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I would ask on the audit list.linux-audit@redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyGUlYACgkQrlYvE4MpobO2PgCbBarqt+aP+DFjo8/1IjwyY4sr
xfMAoL3zY1LvfoKNQtguhD5CGcLHxiUU
=kKWv
-----END PGP SIGNATURE-----