All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bond Masuda <bond.masuda@jlbond.com>
To: linux-audit@redhat.com
Subject: audit log still getting rotated even with max_log_file_action = ignore?
Date: Mon, 2 Nov 2015 13:40:17 -0800	[thread overview]
Message-ID: <5637D841.3090501@jlbond.com> (raw)

I'm seeing my /var/log/audit/audit.log getting rotated (I find a audit.1
or audit.2, etc. file) even though I have max_log_file_action=ignore.
Here's the full auditd.conf:

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 6
max_log_file_action = ignore
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = exec /usr/local/bin/remove_oldest_audit_log
disk_full_action = exec /usr/local/bin/remove_oldest_audit_log
disk_error_action = SUSPEND
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd

what am I missing?

I have a cron job in /etc/cron.daily/auditd that I use to rotate +
compress the audit logs, but this is not what is causing the audit log
rotation.

Is there another setting I must set in order for it to not automatically
rotate the audit log? How do I achieve the desired effect, where the
audit log is only rotated when my cron script runs?

Thanks,
Bond

             reply	other threads:[~2015-11-02 21:40 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-11-02 21:40 Bond Masuda [this message]
2015-11-02 23:32 ` audit log still getting rotated even with max_log_file_action = ignore? Steve Grubb
2015-11-06 18:07   ` Bond Masuda
2015-11-06 19:12     ` Steve Grubb
2015-11-08  6:05       ` Bond Masuda

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5637D841.3090501@jlbond.com \
    --to=bond.masuda@jlbond.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.