LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   archiving rotated log files (http://www.linuxquestions.org/questions/linux-security-4/archiving-rotated-log-files-459486/)

tjainsworth 06-29-2006 11:45 AM

archiving rotated log files
 
I have to archive the /var/log/messages and /var/log/secure files for five (5) years. I have come up with a naming convention <date>_<hostname>_<original filename> that I am currently using on another OS (OpenVMS). I have been diving into cron - syslog - logrotate - bla bla bla. But I have not come across a security savy method to move the "rotated" files. If the system cron kicks off at 00:00:00, the current log file gets rotated to *.1 - I understand that. But, I do not want to move/rename the log file until the responsible process is "entirely" finished completing the rotate. I have tried to figure out how to do this without having unaccounted seconds in the system. Seems very easy in theory, but getting down in the nuts and bolts is not as intuitive as the man pages convey.

I have a script that is kicked off in the "root" cron that NFS mounts my target directory - copies/moves the file with a rename appending the name as mentioned above, but I would like to modify the logrotate mechanism to do this "cleanly"...cannot miss a beat...

...hope this makes sense...

...thanks in advance...
:study:
...learning the hard way...

cdhgee 06-30-2006 09:20 AM

OK, turning the problem around on its head, what about running the archive directly before cron does the rotate, so the archive is archiving the previous day's logs?

tjainsworth 07-05-2006 07:41 AM

Well - I thought of that initially - but there is no gaurantee that all entries are included in the file/log. Maybe I am off here - but if I kick off say a cron job that performs a copy at 00:00:00 of /var/log/messages, then the log gets renamed at the same time or one second after to /var/log/messages.1, there is a few smidgets of a second that could be unaccounted for - so I thought I would wait until the SYSTEM cron renamed it, then after the fact copy/rename the file of to a remote server. Maybe I am paranoid, but the security folks at my customer sites are very particular. And the more I pondered, I thought it would be the cleanest to piggy-back right on the Linux logging schema and have it to the work for me...not exactly intuitive though...

...please correct me if I am off...

cdhgee 07-10-2006 03:53 AM

OK....would it be an option to set up logrotate so that instead of it rotating to .1 in the log directory itself, it rotates to the appropriate destination directory directly? Would that help?

tjainsworth 07-12-2006 01:00 PM

I agree - that to me would be the cleanest - - - now - - - anyone for the syntax and where to put it? Not very intuitive!

thanx!


All times are GMT -5. The time now is 03:45 PM.