HPE Community
Operating System - Linux
1828859 Members
2383 Online
109985 Solutions
New Discussion

Rotating audit logs

 
SOLVED
Go to solution
Danesh Qureshi
Regular Advisor

‎07-02-2007 03:35 AM

‎07-02-2007 03:35 AM

Rotating audit logs

Is it possible to have the auditd daemon rotate the logs according to time,
rather than size?


If auditd cannot do this, is it possible to turn off log rotating and let
the logrotate daemon do it?

0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎07-02-2007 03:42 AM

‎07-02-2007 03:42 AM

Solution

Re: Rotating audit logs

Shalom,

Logrotate can contain custom code to shut a daemon down to permit rotation.

Take a look at the configuration of the httpd log rotate daemon.

Or you can do a custom script to do the same thing.

Your choice.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
skt_skt
Honored Contributor

‎07-02-2007 01:05 PM

‎07-02-2007 01:05 PM

Re: Rotating audit logs

i would recommaend to turn off the audit service.it is enabled by default on RHEL 3.0. But not available on AS 2.1 and AS 4.

It makes system hang if the /var file system reaches 80% usage which is controled by the default settings.No other way other than reboot as it stops accepting any system calls. "man audit" for more details.

Also it makes lot of files of /var/log/audit.d as bin.? and roll them to save.? as it grows up.The save files grows like save.1 and sav.2 etc..

Never do any operation(rm/mv)on recent files(bin.?) and which too cause the server hangs. Be carefull if the file system is near to 80% and you may be at a potential risk.

Reply
skt_skt
Honored Contributor

‎07-02-2007 01:07 PM

‎07-02-2007 01:07 PM

Re: Rotating audit logs

audit service has dependencies with other important services too. Try disabling it on a test box first..
Reply
Danesh Qureshi
Regular Advisor

‎07-02-2007 09:36 PM

‎07-02-2007 09:36 PM

Re: Rotating audit logs

The system is running RHEL AS3 update 4.

The system was not prompting me for a password. I decided to reboot the system. After rebooting the system I noticed the /var filesystem was 100% full. I looked around and found lots of save.? files in /var/log/audit.d. I deleted all save.? files and now /var is 17% full. I left the bin.? as they are.

You were right the system was hanging because /var 100% full.

Is there a way to rotate the save.? files based on age so that they /var filesystem does not become full and cause the system to hang?

If I turn off audit service will this present any problems in terms of securuty events and system alert.

0 Kudos
Reply
skt_skt
Honored Contributor

‎07-03-2007 10:05 AM

‎07-03-2007 10:05 AM

Re: Rotating audit logs

we niether use the log files nor the audit service.There are lot of other log files or services built in Linux (a standard across all the versions) which can do our need.As i said this service is particular to RHEL AS 3.

This should notc cause any problem to other security events or monitoring.We have already implemented this
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.