Re: audit log not being rotated

Re: audit log not being rotated

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/04/2010 02:30 PM, Mike Williams wrote:
> On Sat, Sep 4, 2010 at 1:52 PM, Dominick Grift <domg472@gmail.com> wrote:
> 
>> On Sat, Sep 04, 2010 at 01:24:33PM -0400, Mike Williams wrote:
>>>
>>> Any idea why one box out of three would behave differently?  It is a
>>> worrisome difference.
>>
>> Audit does not use logrotate to rotate logs. I think it does that itself.
>> See /etc/audit/auditd.conf
>> Also the log can be rotated by running the auditd rc script: service auditd
>> rotate
>>
>>
> After lots of digging and, confirmed by your response, I now realize that
> logrotate is not being used.  The cron file I mentioned uses the command you
> mentioned (service auditd rotate) to rotate the logs.
> 
> I just compared /etc/auditd.conf and /etc/audit.rules on the system that was
> not rotating logs with one of the ones that has been rotating audit.log and
> they are identical.
> 
> So, for me, my original question remains a puzzle.  Why did it just work on
> two out of three boxes, but require adding a cron job to do "service auditd
> rotate" on the the third.  Murphy's Law is in force here, the system that
> has not been rotating the logs is the one that is the most important, at
> least in terms of the number of people who use it.
> 
> Mainly I'm concerned about what will happen on the update to f14, since the
> misbehaving system is now fixed.
> 
> Mike
> 
> 
> 
> 
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I would ask on the audit list.linux-audit@redhat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyGUlYACgkQrlYvE4MpobO2PgCbBarqt+aP+DFjo8/1IjwyY4sr
xfMAoL3zY1LvfoKNQtguhD5CGcLHxiUU
=kKWv
-----END PGP SIGNATURE-----

Re: audit log not being rotated

[Mike Williams]

[-- Attachment #1.1: Type: text/plain, Size: 216 bytes --]

On Tue, Sep 7, 2010 at 10:55 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:

> I would ask on the audit list.linux-audit@redhat.com
>
>
I will do that, appreciate the tip, did not know about that list.

Thanks,

Mike

[-- Attachment #1.2: Type: text/html, Size: 564 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: audit log not being rotated

[Steve Grubb]

On Tuesday, September 07, 2010 10:55:18 am Daniel J Walsh wrote:
> > So, for me, my original question remains a puzzle.  Why did it just work
> > on two out of three boxes, but require adding a cron job to do "service
> > auditd rotate" on the the third.  Murphy's Law is in force here, the
> > system that has not been rotating the logs is the one that is the most
> > important, at least in terms of the number of people who use it.

There is no telling without access to your system. This is not a known bug in 
the audit system that is similar to what is described. So I would expect 
another explanation. Perhaps the other systems have enough events that the 
audit system is rotating the logs. The audit system rotates based on log size 
and not time of day. 

Logrotate has never been configured to do log rotation for the audit system 
because of conflicting requirements of the audit daemon needing to take special 
actions based on disk full and other errors vs simple rotation.

-Steve