Ed, One indirect way of achieving this is to author a script that - sends SIGUSR1 to the auditd process (which causes auditd to immediately rotate the logs. It will consult the max_log_file_action to see if it should keep the logs or not.) - do whatever you need to do with the rolled over audit.log files Clearly you only have access to the rolled over log files (given that's what you want). Rgds On Sat, 2023-03-18 at 14:36 +0000, Christiansen, Edward - 0992 - MITLL wrote:

Here is what I've done to manage audit log files in systems I build.You can leverage this, and add your other things after the 'service auditd rotate'.Would that work for you? -Joe #!/bin/bash # Reference:  https://access.redhat.com/solutions/661603 PATH='/sbin:/bin:/usr/sbin:/usr/bin' # auditd log rotation -- This file located in /etc/cron.daily/auditd.cron FORMAT='+%Y%m%d_%H%M%S'  # Customize timestamp format as desired, per 'man date'. COMPRESS='gzip'          # Change to bzip2 or xz, if desired. Cext='gz'                # Change to match file EXTENSION for the compression used. KEEP=10                  # Number of compressed log files to keep. ROTATE_TIME=30           # Amount of time in seconds to wait for auditd to rotate its logs; adjust this as necessary. function rename_and_compress_old_logs() { for file in $(find /var/log/audit/ -type f -regextype posix-extended -regex  '.*audit.log.[0-9]{1,}$'); do                                               timestamp="$(ls -l --time-style=${FORMAT} ${file} | awk '{print $6}')"                                               newfile="${file%.[0-9]}.${timestamp}"                                               mv ${file} ${newfile}                                               ${COMPRESS} -9 ${newfile}                                           done; } function delete_old_compressed_logs() { rm -f $(find /var/log/audit/ -regextype posix-extended -regex '.*audit\.log\..*(xz|gz|bz2)$' | sort -n | head -n -${KEEP}) 2>/dev/null; } rename_and_compress_old_logs service auditd rotate EV="$?" if [ "${EV}" != 0 ]; then      /usr/bin/logger -t auditd "FAILURE ALERT from /etc/cron.daily/auditd.cron 'service auditd rotate' exited ABNORMALLY with exit value(${EV})." else      /usr/bin/logger -t auditd "cron.daily:  Successful rotation of: /var/log/audit/audit.log." fi sleep ${ROTATE_TIME} rename_and_compress_old_logs chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log*.${Cext} delete_old_compressed_logs unset FORMAT COMPRESS Cext KEEP ROTATE_TIME file timestamp newfile EV exit 0 On Saturday, March 18, 2023 at 10:57:23 AM EDT, Christiansen, Edward - 0992 - MITLL <edwardc(a)ll.mit.edu&gt; wrote: I would like to know if there is a way to tell auditd to run a script or command after it rotates its logs.  I can do this with logrotate, but would much prefer something native to auditd.  I spent some toime with Google and found only logrotate solutions. Thanks, Ed Christiansen Millstone Hill SysAdmin -- Linux-audit mailing list Linux-audit(a)redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit