Thanks.  This is definitely the info I was looking for.

 

From: Burn Alting <burn.alting@iinet.net.au>
Sent: Saturday, March 18, 2023 9:26 PM
To: Christiansen, Edward - 0992 - MITLL <edwardc@ll.mit.edu>; linux-audit@redhat.com
Subject: Re: run script after auditd rotates logs

 

Ed,

 

One indirect way of achieving this is to author a script that

- sends SIGUSR1 to the auditd process (which causes auditd to immediately rotate the logs. It will consult the max_log_file_action to see if it should keep the logs or not.)

- do whatever you need to do with the rolled over audit.log files

 

Clearly you only have access to the rolled over log files (given that's what you want).

 

Rgds

 

 

On Sat, 2023-03-18 at 14:36 +0000, Christiansen, Edward - 0992 - MITLL wrote:

I would like to know if there is a way to tell auditd to run a script or 
command after it rotates its logs.  I can do this with logrotate, but would 
much prefer something native to auditd.  I spent some toime with Google and 
found only logrotate solutions.
 
Thanks,
 
Ed Christiansen
Millstone Hill SysAdmin
--
Linux-audit mailing list

Linux-audit@redhat.com

 

 

https://listman.redhat.com/mailman/listinfo/linux-audit