Re: Log rotation issue
On Fri, 3 Jan 2014 10:47:31 -0500
David Flatley <dflatley(a)us.ibm.com> wrote:
Run audit on dozens of systems but this one system (Red Hat 6.4
64 bit server Audit 2..2.2 ) does a strange thing. We use
"/sbin/service auditd rotate" as part of a script that runs
in /etc/cron.daily to do the audit extractions. When
the /etc/audit/audit.log is rotated,
/var/log/audit/audit.log I presume?
all the entries in the log after
rotation have their date as 12/31/1969 19:00.
Have you opened the log with vi and looked to see what the
date/timestamp is? I am wondering if its written that way or
interpreted that way.
And on top of this
there is a bunch of audit entries. Reviewing the log and the entries
go along normally but when it does this date thing the log blows up
in size. This is the same audit config I run on all the other RHEL 6
systems. My understanding is that when auditd rotates the logs that
there should not be any further entries in the rotated log.
Correct. The first thing it does is mark the log file readonly:
https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L701
If you are getting this, look down around line 776 in the above
referenced source code. It shows that you should be getting a message
logged into syslog that explains why rotation failed.
-Steve