Q: audit log rotation.

Q: audit log rotation.

[The UnSeen]

Is there a way to dictate the format of naming convention of the rotated 
logfiles to better reflect the date range of the data contained in the 
file instead of simply audit.log.1, audit.log.2, etc?  Something perhaps 
defined in the /etc/auditd.conf file?  I'm used to the BSM scheme 
personally.  It would make it easier to manage the files for archiving 
purposes (IMHO).

Also, it would be nice (if it doesn't exist already) to have a way to do 
audit reductions 1 event on a line instead of X lines for an event.

Ian

Re: Q: audit log rotation.

[Stephen John Smoogen]

On 4/18/06, The UnSeen <ian@south-border.com> wrote:
>
> Is there a way to dictate the format of naming convention of the rotated
> logfiles to better reflect the date range of the data contained in the
> file instead of simply audit.log.1, audit.log.2, etc?  Something perhaps
> defined in the /etc/auditd.conf file?  I'm used to the BSM scheme
> personally.  It would make it easier to manage the files for archiving
> purposes (IMHO).
>
> Also, it would be nice (if it doesn't exist already) to have a way to do
> audit reductions 1 event on a line instead of X lines for an event.


I think there is a set of patches to logrotate in Debian that allows
you to put your rotate format. We had an internal version that rotated
it as .YYYYMMDD for that. I remember there was a bugzilla to add this
for a long time...

>
> Ian
>
>
>
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>


--
Stephen J Smoogen.
CSIRT/Linux System Administrator

Re: Q: audit log rotation.

[Steve Grubb]

On Tuesday 18 April 2006 12:54, The UnSeen wrote:
> Is there a way to dictate the format of naming convention of the rotated
> logfiles to better reflect the date range of the data contained in the
> file instead of simply audit.log.1, audit.log.2, etc?

No. But you can easily cobble something together to do it. BTW, "aureport -t" 
will give you the time ranges.

> Also, it would be nice (if it doesn't exist already) to have a way to do
> audit reductions 1 event on a line instead of X lines for an event.

I suspect that will get messy. You can have a lot of information without a 
visual cue to help decipher what you are looking at. Have you played around 
with aureport ? It was intended to give something more concise, 1 event per 
line. It also gives everything you need to track down the event in the audit 
logs if you need more information.

But just in case you want to see it:

ausearch -ts 1:00:00 | grep -v 'time->' | tr '\n' ' ' | sed -e 's/----/\n/g'

to get the events since 1 am, one per line.

-Steve

RE: audit log rotation.

[Mackay, Scott]

For combining (something I am playing with) I am using this script to generate a working copy of the log where I can play with it:
 
awk 'BEGIN {lid=""} {if (lid!=$2) { printf "\n"s ",$2;lid=$2} for (i=1;i<NF;i++) if (i!=2) { printf "%s ",$i}' $FILE
 
Basically it will put the id field first and merge in all the columns to 1 line.  You may need to use a sort on the input, but I think it all is fairly ordered...

________________________________

From: linux-audit-bounces@redhat.com on behalf of The UnSeen
Sent: Tue 4/18/2006 12:54 PM
To: linux-audit@redhat.com
Subject: Q: audit log rotation.




Is there a way to dictate the format of naming convention of the rotated
logfiles to better reflect the date range of the data contained in the
file instead of simply audit.log.1, audit.log.2, etc?  Something perhaps
defined in the /etc/auditd.conf file?  I'm used to the BSM scheme
personally.  It would make it easier to manage the files for archiving
purposes (IMHO).

Also, it would be nice (if it doesn't exist already) to have a way to do
audit reductions 1 event on a line instead of X lines for an event.

Ian





--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit