Clarification on log rotation

Monday, 23 November 2020

Hi,

I'm checking auditd's native logrotation mechanism.

The auditd.conf manpage states this for num_logs:

"The excess log check  is  only  done  on startup and when a
reconfigure results in a space check."

I kept generating events, and truth be told, no rotation happened once
the logfile size was above max_log_file. At least not after a few
minutes.

When does a space check happens, besides on a restart? Just external
events likg SIGUSR1 and perhaps SIGHUP?

Since these are external events, how do sysadmins deal with log
rotation: completely ignore auditd's native mechanism and setup
logrotate as usual?