From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Log rotation issue Date: Fri, 3 Jan 2014 11:04:33 -0500 Message-ID: <20140103110433.70078cd9@ivy-bridge> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: David Flatley Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 3 Jan 2014 10:47:31 -0500 David Flatley wrote: > Run audit on dozens of systems but this one system (Red Hat 6.4 > 64 bit server Audit 2..2.2 ) does a strange thing. We use > "/sbin/service auditd rotate" as part of a script that runs > in /etc/cron.daily to do the audit extractions. When > the /etc/audit/audit.log is rotated, /var/log/audit/audit.log I presume? > all the entries in the log after > rotation have their date as 12/31/1969 19:00. Have you opened the log with vi and looked to see what the date/timestamp is? I am wondering if its written that way or interpreted that way. > And on top of this > there is a bunch of audit entries. Reviewing the log and the entries > go along normally but when it does this date thing the log blows up > in size. This is the same audit config I run on all the other RHEL 6 > systems. My understanding is that when auditd rotates the logs that > there should not be any further entries in the rotated log. Correct. The first thing it does is mark the log file readonly: https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L701 If you are getting this, look down around line 776 in the above referenced source code. It shows that you should be getting a message logged into syslog that explains why rotation failed. -Steve