Sorry I am in error on the storage question. I do have limited storage on some of my systems and depending on my rules
and what is running on the systems this could cause an issue. Presently I am using the S.T.I.G. recommendations but I may
have to use more extensive rules which I am in the process of testing.
David Flatley/Burlington/IBM@IBMUS
Thanks for the reply Steve.
Steve Grubb <sgrubb@redhat.com>
On Friday 31 October 2008 14:21:12 David Flatley wrote:
> If you would indulge my simpler in comparison question of the group. I
> am setting up audit on heavy usage systems. I have setup my auditd.conf to
> rotate the files once they get to 70 meg and allow up to 12 rotated files.
You don't need to limit the files to 12 unless you are short on disk space.
you can use keep_logs as the max_log_file option and one will not be lost.
Disk space is not a problem if the day's logging is collected and stored, which is required,
> I created a cron that runs hourly to look and see if a ninth rotated file
> exists and if so run "ausearch -i" outputted to a file and store the
> file,
You shouldn't need to ausearch the file? Are you doing that to split the file
on a time hack? In that case you can just about as easily do a "service
auditd rotate" and force auditd to end at a certain time rather than by size.
Yes and then I could use ausearch -if <file> when I need to look at the logs
after they have been moved to storage. Or apply the ausearch -i when I do the
storage of the file, I do this to convert from numerical to text on the file.
> then remove the rotated files. I run the cron to avoid losing data if
> there is alot of activity and rotated files are rolled off. I also have to
> balance performance with auditing in this arrangement.
Perhaps we need the capability of switching out partitions used for logging?
Maybe that could be solved by using the space left action exec capability to
run a custom program that re-writes the audit config file or changes a
symlink to point to another config file to point to a new dir and then sends
sighup to the parent (auditd).
Maybe some others have ideas about how they solve the same problem. If we need
to make changes to the audit daemon to make this smoother, let me know what's
needed.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit