My thought: If Steve is able to help you fix the behavior, then great. Otherwise, pivot.

Instead of using the space_left_action in auditd, use logrotate and have it check for max log size. Put your script in the postrotate section if more logic than what is provided with logrotate is needed.

Stephen

On Thu, Jan 26, 2017 at 2:41 PM Bond Masuda <bond.masuda@jlbond.com> wrote:

Thanks Steve for the suggestion. Unfortunately, even with my script
sending USR2 to auditd, i still get the same behavior where the
space_left_action=exec call to the script only happens once.

Thoughts?
Bond

On 01/25/2017 10:22 PM, Steve Grubb wrote:
> Hello,
>
> On Wed, 25 Jan 2017 15:06:50 -0800
> Bond Masuda <bond.masuda@jlbond.com> wrote:
>> I configured space_left and space_left_action to run a script that
>> compresses and moves older audit log files from /var/log/audit. It
>> appears to work 1 time, and then doesn't work anymore until I kill
>> the auditd daemon and start it again.
>>
>> Is this expected and/or desired behavior? I didn't see anything in
>> the man pages about this behavior. I was hoping to have my script run
>> every time the space_left threshold is hit so as to not run out of
>> logging disk space. Is there something I can do to accomplish this?
> You may need to send SIGUSR2 to `pidof auditd` to reset the internal
> counters. Let me know if that does not fix it.
>
> -Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit