|
Linux auditing
I'm trying to wrap my head around how the auditing works in /var/log/audit
audit.log audit.log.1.gz audit.log.2 audit.log.3 ... audit.log.10 ... audit.log.199 I know that the logs rotate after 5 MB and is creating the audit.log."number" sequence. I have a script that moves the audit .gz files off the server daily. Can someone explain the relationship if any between the audit.log."number".gz and the audit.log."number" files? I have been under the assumption ( and that it was OK to take the .gz files and remove the non zipped files(except the primary in use audit.log) since they are the audit.log."number" files zipped. Thanks in advance. |
Intriguing - usually the older logs get compressed to save space, only audit.log and audit.log.1 would be uncompressed. Compare with syslog.
|
Usually, logfile rotation is handled via logrotate, whose configuration files are located on /etc/logrotate.d/
That may not be the case with auditd. On my system, Code:
grep audit /etc/logrotate.d/*In fact, it seems that log rotation is handled internally by the audit daemon. Look at /etc/audit/auditd.conf : Code:
$ cat /etc/redhat-release |
It's also possible that the conf file has been amended at some pt and/or someone has added a logrotate for auditd, when, as above, it handles it internally.
Normally I'd expect to see either no gz, or all gz except for current open file. Also, just copy off the latest gz, don't delete it as this may confuse the auditd process when it goes to the next log. |
I only have one gzipped file now that I'm moving them off every night. I used to have many gipped files accumulated.
audit.log.1.gz,audit.log.2.gz, ... audit.log.20.gz ... audit.log.30.gz, ... Maybe I am confusing the auditd process and maybe I'm going about it the wrong way. Which files would I keep for retaining audit logs? And which ones can be removed? I did have my /var/log/audit volume fill up last week. I had logs going as high as in the 300's for example; audit.log.388 |
From source code of audit RPM released with Fedora 15 (http://download.fedora.redhat.com/pu.../source/SRPMS/), I understand that :
- log rotation is indeed handled internally by the auditd daemon - there is currently no compression after log rotation So your audit.X.gz are not generated by auditd, but by something else (a customized script ?) I would suggest you not to disturb the auditd daemon with additionnal mechanisms. Concernening the myriad of files generated, if you still have them after getting rid of the .gz files, you should post the content of /etc/audit/auditd.conf file. |
This is an excerpt from my /var/log/audit folder. I'm not sure what is the zipping files. I thought it was the audit config but I don't see it.
I really would like some clarification on which logs are OK to remove but not mess with the auditing process. Is it OK to remove the let's say audit.log.100+ and above range? Leave the .gz ones alone as chrism01 stated? audit.log audit.log.1 audit.log.10 audit.log.100 ... audit.log.1.gz audit.log.2 audit.log.20 audit.log.200 ... audit.log.299 audit.log.2.gz audit.log.3 audit.log.30 audit.log.300 ... and so on. |
Easiest would be to sort the list by modification time like 'stat -c "%y %x %z %n" 'X' audit.* | sort -k1' and then delete the oldest ones?
|
| All times are GMT -5. The time now is 05:22 AM. |