Use logrotate for audit logs? - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Use logrotate for audit logs?

Audit watches on NFS mounts

[userspace PATCH v2 0/3] Add...

leam hall

Wednesday, 19 October 2016 Wed, 19 Oct '16

2:26 p.m.

Is there any reason to not use logrotate for audit logs on RHEL 6? We'd like to keep them fresh and compressed. Thanks! Leam -- Mind on a Mission <http://leamhall.blogspot.com/>

Attachments:

attachment.html (text/html — 395 bytes)

Reply

Show replies by date

Simon Sekidde

Wednesday, 19 October Wed, 19 Oct

3:46 p.m.

Hi Leam ----- Original Message -----

From: "leam hall" <leamhall(a)gmail.com> To: linux-audit(a)redhat.com Sent: Wednesday, October 19, 2016 3:26:23 PM Subject: Use logrotate for audit logs? Is there any reason to not use logrotate for audit logs on RHEL 6? We'd like to keep them fresh and compressed.

This was discussed a while back https://www.redhat.com/archives/linux-audit/2012-November/msg00008.html

Thanks! Leam -- Mind on a Mission -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

-- Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E

Reply

leam hall

Thursday, 20 October Thu, 20 Oct

6:32 a.m.

On Wed, Oct 19, 2016 at 4:46 PM, Simon Sekidde <ssekidde(a)redhat.com> wrote:

Hi Leam ----- Original Message ----- > From: "leam hall" <leamhall(a)gmail.com> > To: linux-audit(a)redhat.com > Sent: Wednesday, October 19, 2016 3:26:23 PM > Subject: Use logrotate for audit logs? > > Is there any reason to not use logrotate for audit logs on RHEL 6? We'd like > to keep them fresh and compressed. > This was discussed a while back https://www.redhat.com/archives/linux-audit/2012-November/msg00008.html > Thanks! > > Leam > > -- > Mind on a Mission > > -- > Linux-audit mailing list > Linux-audit(a)redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E

Simon, thanks! In this case, Steve talks about the system being taken down due to audit logs filling up the volumes. When that's not the best idea for a server, it looks like logrotate is a better choice. Leam -- Mind on a Mission <http://leamhall.blogspot.com/>

Reply

Ryan Sawhill

9:15 a.m.

On Thu, Oct 20, 2016 at 7:32 AM, leam hall <leamhall(a)gmail.com> wrote:

In this case, Steve talks about the system being taken down due to audit logs filling up the volumes. When that's not the best idea for a server, it looks like logrotate is a better choice.

No. You misunderstand. auditd CAN be configured to take the system down when there's no more space for audit logs; it does not do this by default. (See auditd.conf's various *_action directives, e.g., disk_full_action.) There is IMHO very little reason to switch to using logrotate. Please check out `man auditd.conf`.

Reply

2993

days inactive

2994

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

3 comments

3 participants

tags (0)

participants (3)

leam hall
Ryan Sawhill
Simon Sekidde