From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Whitney Subject: Logrotate and Audit Log Rotation Date: Wed, 14 Nov 2012 12:52:31 +0000 (GMT) Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4068331483671360223==" Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.21]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qAEClo0M026962 for ; Wed, 14 Nov 2012 07:47:50 -0500 Received: from nk11p00mm-asmtp002.mac.com (nk11p00mm-asmtp002.mac.com [17.158.161.1]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id qAEClnDd018478 for ; Wed, 14 Nov 2012 07:47:49 -0500 Received: from nk11p00mm-spool002.mac.com ([17.158.161.99]) by nk11p00mm-asmtp002.mac.com (Oracle Communications Messaging Server 7u4-26.01(7.0.4.26.0) 64bit (built Jul 13 2012)) with ESMTP id <0MDH00H2VA7FL710@nk11p00mm-asmtp002.mac.com> for linux-audit@redhat.com; Wed, 14 Nov 2012 12:47:49 +0000 (GMT) Received: from localhost ([17.158.236.223]) by nk11p00mm-spool002.mac.com (Oracle Communications Messaging Server 7u4-23.01(7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTP id <0MDH00KWYA7FFE80@nk11p00mm-spool002.mac.com> for linux-audit@redhat.com; Wed, 14 Nov 2012 12:47:39 +0000 (GMT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============4068331483671360223== Content-type: multipart/alternative; boundary="Boundary_(ID_+IUZ5aqeIf81PCVChWcZVw)" --Boundary_(ID_+IUZ5aqeIf81PCVChWcZVw) Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: quoted-printable On RHEL 6 I am able to use the logrotate facility and compress logs using = bzip2. However, when I try to use a similar method on RHEL 5, the auditd s= ervice fails to restart after the logrotate service rotates and compresses= the rotated log file.=0A=0AI found a post by Steve Grubb posted on 29 JUN= 2011:=0A=A0=A0=0A"Logrotate should not directly rotate the audit logs. I = don't supply a logrotate=A0=0Aconfiguration, but if I did it would call se= rvice auditd rotate so that auditd performs=0Athe action. The audit daemon= has to fulfill certain service guarantees that logrotate=0Adoes not care = about. For example, if the audit disk partition gets full, auditd can=0Ata= ke the system down. Logrotate never will. So, you have to let auditd do it= s own=0Athing or you will have some issues."=0A=0AIs this still the case?=A0= =0A=0APaul M. Whitney=0Apaul.whitney@icloud.com=0A=0A=0A= --Boundary_(ID_+IUZ5aqeIf81PCVChWcZVw) Content-type: multipart/related; boundary="Boundary_(ID_ANp0hzB3AUETpieG6+gfSg)"; type="text/html" --Boundary_(ID_ANp0hzB3AUETpieG6+gfSg) Content-type: text/html; CHARSET=US-ASCII Content-transfer-encoding: quoted-printable

On RHEL 6 I am able to use the logrotate facility and compress l= ogs using bzip2. However, when I try to use a similar method on RHEL 5, th= e auditd service fails to restart after the logrotate service rotates and = compresses the rotated log file.

I found a post b= y Steve Grubb posted on 29 JUN 2011:

"Log= rotate should not directly rotate the audit logs. I don't supply a logrota= te

configuration, but if I did it would call service audit= d rotate so that auditd performs

the action. The audit daemon ha= s to fulfill certain service guarantees that logrotate

does not = care about. For example, if the audit disk partition gets full, auditd can=

take the system down. Logrotate never will. So, you have to let= auditd do its own

thing or you will have some issues."

Is this still the case?

<= div>

Paul M. Whitney=0Apaul.=
whitney@icloud.com=0A=0A=0A

= --Boundary_(ID_ANp0hzB3AUETpieG6+gfSg)-- --Boundary_(ID_+IUZ5aqeIf81PCVChWcZVw)-- --===============4068331483671360223== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4068331483671360223==--