Re: Log rotation and client disconnects

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: LC Bruzenak <lenny@magitekltd.com>
To: rshaw1@umbc.edu
Cc: linux-audit@redhat.com
Subject: Re: Log rotation and client disconnects
Date: Thu, 12 Aug 2010 10:57:20 -0500	[thread overview]
Message-ID: <1281628640.3694.29.camel@lcb> (raw)
In-Reply-To: <45921.128.63.24.134.1281626211.squirrel@webmail.umbc.edu>

On Thu, 2010-08-12 at 11:16 -0400, rshaw1@umbc.edu wrote:
> > On Thursday, August 12, 2010 10:02:29 am rshaw1@umbc.edu wrote:
> >> I've discovered the issue since I sent it, anyway.  If num_logs is set
> >> to
> >> 0, auditd will ignore explicit requests to rotate the logs.  I guess
> >> this
> >> may be intentional, but it's unfortunate as num_logs caps at 99 and I
> >> need
> >> to keep 365 of them.
> >
> > Have you looked at the keep_logs option for max_log_file_action?
> 
> I did, but the man page states that keep_logs is similar to rotate, so it
> sounds like if I used this option, it would still rotate the log file if
> it went above the max_log_file size, which I don't want to happen.  I
> suppose I could just set max_log_file to 99999 or something (if that's
> supported).  Typically, uncompressed log files for ~400 clients on the
> central server end up being around 3-4Gb.
> 
> Thanks for all the help so far; I think I'm almost there.
> 
> --Ray

Do you not want to rotate because of the time it takes?
Yep, the keep_logs does a rotate without a limit.

The max_log_file value is an unsigned long so it should take a very
large number. However, in case there is a lot of auditing you are not
prepared for, I'd suggest limiting the file size to 2GB. The rotate time
should be similar regardless of the file size.

BTW, in what a time period are you getting the 3-4GB amounts? Are you
happy with the data you are getting - or maybe you could pare it down
some with audit.rules tweaks on the senders?

LCB.

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

next prev parent reply	other threads:[~2010-08-12 15:57 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-09 16:59 Log rotation and client disconnects rshaw1
2010-08-09 17:53 ` Steve Grubb
2010-08-12 14:02   ` rshaw1
2010-08-12 14:25     ` Steve Grubb
2010-08-12 15:16       ` rshaw1
2010-08-12 15:57         ` LC Bruzenak [this message]
2010-08-13 15:06           ` rshaw1
2010-08-13 15:38             ` LC Bruzenak
2010-08-12 14:31     ` LC Bruzenak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1281628640.3694.29.camel@lcb \
    --to=lenny@magitekltd.com \
    --cc=linux-audit@redhat.com \
    --cc=rshaw1@umbc.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox