* audit rotate question
@ 2009-05-20 18:37 LC Bruzenak
2009-05-20 19:13 ` John Dennis
2009-05-20 19:29 ` Steve Grubb
0 siblings, 2 replies; 4+ messages in thread
From: LC Bruzenak @ 2009-05-20 18:37 UTC (permalink / raw)
To: Linux Audit
If I do a "service auditd rotate" it just sends the auditd the USR1
signal which means "start the rotation".
On a slow/burdened machine with many files this is not immediate.
I am trying to run a cron job which will :
mkdir /var/log/audit-archive/
service auditd rotate
mv /var/log/audit/audit.log.* /var/log/audit-archive/
But the files listed are not through rotating so it has issues (file not
found, leaves behind the last one rotated - audit.log.1, etc.).
How can I tell when the rotate is complete so I can move the files out?
I'm sure there is a simple way but I cannot see it.
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit rotate question
2009-05-20 18:37 audit rotate question LC Bruzenak
@ 2009-05-20 19:13 ` John Dennis
2009-05-20 19:29 ` Steve Grubb
1 sibling, 0 replies; 4+ messages in thread
From: John Dennis @ 2009-05-20 19:13 UTC (permalink / raw)
To: LC Bruzenak; +Cc: Linux Audit
LC Bruzenak wrote:
> If I do a "service auditd rotate" it just sends the auditd the USR1
> signal which means "start the rotation".
>
> On a slow/burdened machine with many files this is not immediate.
>
> I am trying to run a cron job which will :
>
> mkdir /var/log/audit-archive/
> service auditd rotate
> mv /var/log/audit/audit.log.* /var/log/audit-archive/
>
> But the files listed are not through rotating so it has issues (file not
> found, leaves behind the last one rotated - audit.log.1, etc.).
>
> How can I tell when the rotate is complete so I can move the files out?
> I'm sure there is a simple way but I cannot see it.
Set an inotify watch on the *directory*, you'll be able to see when the
files are renamed and created. The package inotify-tools may be of help,
there are also inotify python bindings. If neither of those work for you
I can send C you code which will perform the inotify watch.
--
John Dennis <jdennis@redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit rotate question
2009-05-20 18:37 audit rotate question LC Bruzenak
2009-05-20 19:13 ` John Dennis
@ 2009-05-20 19:29 ` Steve Grubb
2009-05-20 19:41 ` LC Bruzenak
1 sibling, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2009-05-20 19:29 UTC (permalink / raw)
To: linux-audit
On Wednesday 20 May 2009 02:37:01 pm LC Bruzenak wrote:
> How can I tell when the rotate is complete so I can move the files out?
Use ls -i /var/log/audit/audit.log and watch for the inode to change. Read it
first, rotate, and then read again. If you don't see progress after a certain
amount of time, you might want to check syslog for problems.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit rotate question
2009-05-20 19:29 ` Steve Grubb
@ 2009-05-20 19:41 ` LC Bruzenak
0 siblings, 0 replies; 4+ messages in thread
From: LC Bruzenak @ 2009-05-20 19:41 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Thanks John and Steve!
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-05-20 19:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-05-20 18:37 audit rotate question LC Bruzenak
2009-05-20 19:13 ` John Dennis
2009-05-20 19:29 ` Steve Grubb
2009-05-20 19:41 ` LC Bruzenak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox