Re: Keeping log files

On Friday 18 November 2005 13:37, Mont Rothstein wrote: > To address rotation time all I can think to do is not rotate and instead > use cron to periodically rename (with the date), and compress the log file. Starting with 1.0.12, the audit daemon uses SIGUSR1 to tell it to rotate log files. (this is if you do not want to rotate by size) This was encoded into the init script so you can do "service auditd rotate" and it will. You can then create a cron script that does this. The audit daemon will be using /var/log/audit/audit.log (or whatever the config file says) which means all other files can be zipped if you wish. Also, "aureport -t" will display the time ranges in the log files. It takes the "-if" option if you want it to run against a particular file. > My concern is how to safely get the existing logs and start from scratch > without potentially loosing log entries. If I copy the log file and then > use /dev/null to clear the existing file, then there is a window between > the cp and the /dev/null. Don't do this. > If I move the file will a HUP sent to auditd break the connection to the old > logfile and start a new one? Haven't checked and its not the preferred way to do things. > Has anyone else done this? Is there a better option than the ones I've > listed here? Also note that when you zip the files, the audit utilities will no longer be able to directly read the files. You'll have to unzip the files to do any searching/reporting. -Steve