From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Dennis Subject: Re: audit rotate question Date: Wed, 20 May 2009 15:13:02 -0400 Message-ID: <4A14563E.4020207@redhat.com> References: <1242844621.6546.149.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1242844621.6546.149.camel@homeserver> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: LC Bruzenak Cc: Linux Audit List-Id: linux-audit@redhat.com LC Bruzenak wrote: > If I do a "service auditd rotate" it just sends the auditd the USR1 > signal which means "start the rotation". > > On a slow/burdened machine with many files this is not immediate. > > I am trying to run a cron job which will : > > mkdir /var/log/audit-archive/ > service auditd rotate > mv /var/log/audit/audit.log.* /var/log/audit-archive/ > > But the files listed are not through rotating so it has issues (file not > found, leaves behind the last one rotated - audit.log.1, etc.). > > How can I tell when the rotate is complete so I can move the files out? > I'm sure there is a simple way but I cannot see it. Set an inotify watch on the *directory*, you'll be able to see when the files are renamed and created. The package inotify-tools may be of help, there are also inotify python bindings. If neither of those work for you I can send C you code which will perform the inotify watch. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/