4:19 p.m.
So, I needed a feature over 8 months ago, nobody could provide one for the
following:
Rolling log files either when they hit a certain size or the day
changed over at midnight.
I know that I could have rolled the files at a specific size, by using the
*max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
there was no "builtin" for managing auto rotation at the start of a new day
(0000 hrs).
It looks like there is a file called */usr/share/doc/auditd-<**version>*
*/auditd.cron*
*.*
To me*, *this file is new; considering I needed it 8 months ago.
*Anyway, how is this file implemented? * Simply move it to a directory with
permissions to execute; ensure it is executable and then simply set up a
cronjob to execute it at whatever time of day that I wish?
*Finally, if I have '-e 2' as the last control in the audit.rules file;
will the auditd.cron which executes as service auditd rotate still function
properly?*
Thanks in advance,
--------------------------
Warron French
4:48 p.m.
On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
So, I needed a feature over 8 months ago, nobody could provide one
for the
following:
Rolling log files either when they hit a certain size or the day
changed over at midnight.
I know that I could have rolled the files at a specific size, by using the
*max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
there was no "builtin" for managing auto rotation at the start of a new day
(0000 hrs).
It looks like there is a file called */usr/share/doc/auditd-<**version>*
*/auditd.cron*
*.*
To me*, *this file is new; considering I needed it 8 months ago.
Its over 9 years old.
*Anyway, how is this file implemented?
https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd....
Its a shell script that end up sending SIGUSR1 to auditd. That causes auditd
to rotate the files. But you would also configure auditd to not rotate files by
setting num_logs to 0 in auditd.conf.
* Simply move it to a directory with permissions to execute; ensure
it is
executable and then simply set up a cronjob to execute it at whatever time
of day that I wish?
Yes. You can also extend the script by sleeping a couple seconds for the
rotation and then rename the file and/or compress it and/or move it to another
directory or partition. Whatever you want to do.
*Finally, if I have '-e 2' as the last control in the
audit.rules file;
will the auditd.cron which executes as service auditd rotate still function
properly?*
The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon just
rotates the files. So, it has no bearing on the matter.
-Steve
8:28 a.m.
So, if I read this right, to implement an auditd log rotation that is
based on time one would:
1. set num_logs to 0 in auditd.conf
2. send SIGUSR1 to auditd based on your log rotation schedule.
Are there any other nuances I need to take into consideration?
On 3/22/2017 5:48 PM, Steve Grubb wrote:
On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> So, I needed a feature over 8 months ago, nobody could provide one for the
> following:
> Rolling log files either when they hit a certain size or the day
> changed over at midnight.
>
> I know that I could have rolled the files at a specific size, by using the
> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*, but
> there was no "builtin" for managing auto rotation at the start of a new
day
> (0000 hrs).
>
> It looks like there is a file called */usr/share/doc/auditd-<**version>*
> */auditd.cron*
>
> *.*
> To me*, *this file is new; considering I needed it 8 months ago.
Its over 9 years old.
> *Anyway, how is this file implemented?
https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd....
Its a shell script that end up sending SIGUSR1 to auditd. That causes auditd
to rotate the files. But you would also configure auditd to not rotate files by
setting num_logs to 0 in auditd.conf.
> * Simply move it to a directory with permissions to execute; ensure it is
> executable and then simply set up a cronjob to execute it at whatever time
> of day that I wish?
Yes. You can also extend the script by sleeping a couple seconds for the
rotation and then rename the file and/or compress it and/or move it to another
directory or partition. Whatever you want to do.
> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> will the auditd.cron which executes as service auditd rotate still function
> properly?*
The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon just
rotates the files. So, it has no bearing on the matter.
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
8:53 a.m.
----- Original Message -----
From: "Ed Christiansen MS" <edwardc(a)ll.mit.edu>
To: linux-audit(a)redhat.com
Sent: Thursday, March 23, 2017 9:28:34 AM
Subject: Re: auditd.cron
So, if I read this right, to implement an auditd log rotation that is
based on time one would:
1. set num_logs to 0 in auditd.conf
This implies no rotation
2. send SIGUSR1 to auditd based on your log rotation schedule.
Are there any other nuances I need to take into consideration?
`service auditd rotate` will force a rotation
On 3/22/2017 5:48 PM, Steve Grubb wrote:
> On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
>> So, I needed a feature over 8 months ago, nobody could provide one for the
>> following:
>> Rolling log files either when they hit a certain size or the day
>> changed over at midnight.
>>
>> I know that I could have rolled the files at a specific size, by using the
>> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
>> but
>> there was no "builtin" for managing auto rotation at the start of a
new
>> day
>> (0000 hrs).
>>
>> It looks like there is a file called */usr/share/doc/auditd-<**version>*
>> */auditd.cron*
>>
>> *.*
>> To me*, *this file is new; considering I needed it 8 months ago.
>
> Its over 9 years old.
>
>> *Anyway, how is this file implemented?
>
> https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd....
>
> Its a shell script that end up sending SIGUSR1 to auditd. That causes
> auditd
> to rotate the files. But you would also configure auditd to not rotate
> files by
> setting num_logs to 0 in auditd.conf.
>
>> * Simply move it to a directory with permissions to execute; ensure it is
>> executable and then simply set up a cronjob to execute it at whatever time
>> of day that I wish?
>
> Yes. You can also extend the script by sleeping a couple seconds for the
> rotation and then rename the file and/or compress it and/or move it to
> another
> directory or partition. Whatever you want to do.
>
>> *Finally, if I have '-e 2' as the last control in the audit.rules file;
>> will the auditd.cron which executes as service auditd rotate still
>> function
>> properly?*
>
> The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon
> just
> rotates the files. So, it has no bearing on the matter.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
Solution Architect, NA Public Sector
11:11 a.m.
On Thursday, March 23, 2017 9:53:45 AM EDT Simon Sekidde wrote:
----- Original Message -----
> From: "Ed Christiansen MS" <edwardc(a)ll.mit.edu>
> To: linux-audit(a)redhat.com
> Sent: Thursday, March 23, 2017 9:28:34 AM
> Subject: Re: auditd.cron
>
> So, if I read this right, to implement an auditd log rotation that is
> based on time one would:
>
> 1. set num_logs to 0 in auditd.conf
This implies no rotation
Which is exactly what you want because the only setting checked to see if its
time to rotate is the max_log_file setting.
> 2. send SIGUSR1 to auditd based on your log rotation schedule.
`service auditd rotate` will force a rotation
Yes, but it can be scripted without needing to use service if desired.
> Are there any other nuances I need to take into consideration?
You might set max_log_file_action to ignore to avoid any syslog warnings. By
using the SIGUSR1 method the logs will have a number appended to them and the
audit utilities can still make sense of the order of log files.
If you choose to rename the files, then you will also need to make a script
that understands the order and cats them into ausearch/report in the correct
order if you still plan to use the native tools.
-Steve
> On 3/22/2017 5:48 PM, Steve Grubb wrote:
> > On Wednesday, March 22, 2017 5:19:11 PM EDT warron.french wrote:
> >> So, I needed a feature over 8 months ago, nobody could provide one for
> >> the
> >>
> >> following:
> >> Rolling log files either when they hit a certain size or the day
> >>
> >> changed over at midnight.
> >>
> >> I know that I could have rolled the files at a specific size, by using
> >> the
> >> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
> >> but
> >> there was no "builtin" for managing auto rotation at the start of
a new
> >> day
> >> (0000 hrs).
> >>
> >> It looks like there is a file called
> >> */usr/share/doc/auditd-<**version>*
> >> */auditd.cron*
> >>
> >> *.*
> >> To me*, *this file is new; considering I needed it 8 months ago.
> >
> > Its over 9 years old.
> >
> >> *Anyway, how is this file implemented?
> >
> > https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd
> > .cron
> >
> > Its a shell script that end up sending SIGUSR1 to auditd. That causes
> > auditd
> > to rotate the files. But you would also configure auditd to not rotate
> > files by
> > setting num_logs to 0 in auditd.conf.
> >
> >> * Simply move it to a directory with permissions to execute; ensure it
> >> is
> >> executable and then simply set up a cronjob to execute it at whatever
> >> time
> >> of day that I wish?
> >
> > Yes. You can also extend the script by sleeping a couple seconds for the
> > rotation and then rename the file and/or compress it and/or move it to
> > another
> > directory or partition. Whatever you want to do.
> >
> >> *Finally, if I have '-e 2' as the last control in the audit.rules
file;
> >> will the auditd.cron which executes as service auditd rotate still
> >> function
> >> properly?*
> >
> > The -e 2 makes the rules immutable. Sending SIGUSR1 to the audit daemon
> > just
> > rotates the files. So, it has no bearing on the matter.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit(a)redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
9:45 a.m.
On Wed, Mar 22, 2017 at 5:19 PM, warron.french <warron.french(a)gmail.com>
wrote:
So, I needed a feature over 8 months ago, nobody could provide one
for the
following:
Rolling log files either when they hit a certain size or the day
changed over at midnight.
I know that I could have rolled the files at a specific size, by using the
*max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
but there was no "builtin" for managing auto rotation at the start of a new
day (0000 hrs).
It looks like there is a file called */usr/share/doc/auditd-<**version>*
*/auditd.cron*
*.*
To me*, *this file is new; considering I needed it 8 months ago.
*Anyway, how is this file implemented? * Simply move it to a directory
with permissions to execute; ensure it is executable and then simply set up
a cronjob to execute it at whatever time of day that I wish?
*Finally, if I have '-e 2' as the last control in the audit.rules file;
will the auditd.cron which executes as service auditd rotate still function
properly?*
Steve covered the important parts, but for more hand-holding:
How to implement audit log rotation with compression based on time instead
of size <https://access.redhat.com/solutions/661603>
2831
days inactive
2832
days old
linux-audit@lists.linux-audit.osci.io
5 comments
5 participants
participants (5)
-
Ed Christiansen MS -
Ryan Sawhill -
Simon Sekidde -
Steve Grubb -
warron.french