LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-25-2011, 11:03 AM   #1
BlackCrowe
Member
 
Registered: Aug 2010
Posts: 41

Rep: Reputation: 0
Linux auditing


I'm trying to wrap my head around how the auditing works in /var/log/audit

audit.log
audit.log.1.gz
audit.log.2
audit.log.3
...
audit.log.10
...
audit.log.199

I know that the logs rotate after 5 MB and is creating the audit.log."number" sequence.
I have a script that moves the audit .gz files off the server daily.

Can someone explain the relationship if any between the audit.log."number".gz and the audit.log."number" files?

I have been under the assumption ( and that it was OK to take the .gz files and remove the non zipped files(except the primary in use audit.log) since they are the audit.log."number" files zipped.


Thanks in advance.
 
Old 06-25-2011, 11:13 AM   #2
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Intriguing - usually the older logs get compressed to save space, only audit.log and audit.log.1 would be uncompressed. Compare with syslog.
 
Old 06-26-2011, 07:22 AM   #3
aysheaia
LQ Newbie
 
Registered: Jun 2011
Distribution: Ubuntu
Posts: 26

Rep: Reputation: Disabled
Usually, logfile rotation is handled via logrotate, whose configuration files are located on /etc/logrotate.d/

That may not be the case with auditd.
On my system,
Code:
grep audit /etc/logrotate.d/*
gives nothing...

In fact, it seems that log rotation is handled internally by the audit daemon. Look at /etc/audit/auditd.conf :
Code:
$ cat /etc/redhat-release 
CentOS release 5.6 (Final)
$ cat /etc/audit/auditd.conf
[...]
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
[...]
num_logs = 4
[...]
max_log_file = 5 
max_log_file_action = ROTATE
[...]
 
Old 06-26-2011, 08:54 PM   #4
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,280

Rep: Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032Reputation: 2032
It's also possible that the conf file has been amended at some pt and/or someone has added a logrotate for auditd, when, as above, it handles it internally.

Normally I'd expect to see either no gz, or all gz except for current open file.
Also, just copy off the latest gz, don't delete it as this may confuse the auditd process when it goes to the next log.
 
Old 06-28-2011, 01:57 PM   #5
BlackCrowe
Member
 
Registered: Aug 2010
Posts: 41

Original Poster
Rep: Reputation: 0
I only have one gzipped file now that I'm moving them off every night. I used to have many gipped files accumulated.
audit.log.1.gz,audit.log.2.gz, ...
audit.log.20.gz ... audit.log.30.gz, ...

Maybe I am confusing the auditd process and maybe I'm going about it the wrong way.

Which files would I keep for retaining audit logs? And which ones can be removed?

I did have my /var/log/audit volume fill up last week. I had logs going as high as in the 300's for example; audit.log.388
 
Old 06-28-2011, 02:55 PM   #6
aysheaia
LQ Newbie
 
Registered: Jun 2011
Distribution: Ubuntu
Posts: 26

Rep: Reputation: Disabled
From source code of audit RPM released with Fedora 15 (http://download.fedora.redhat.com/pu.../source/SRPMS/), I understand that :
- log rotation is indeed handled internally by the auditd daemon
- there is currently no compression after log rotation
So your audit.X.gz are not generated by auditd, but by something else (a customized script ?)
I would suggest you not to disturb the auditd daemon with additionnal mechanisms.

Concernening the myriad of files generated, if you still have them after getting rid of the .gz files, you should post the content of /etc/audit/auditd.conf file.
 
Old 07-07-2011, 11:11 AM   #7
BlackCrowe
Member
 
Registered: Aug 2010
Posts: 41

Original Poster
Rep: Reputation: 0
This is an excerpt from my /var/log/audit folder. I'm not sure what is the zipping files. I thought it was the audit config but I don't see it.

I really would like some clarification on which logs are OK to remove but not mess with the auditing process.

Is it OK to remove the let's say audit.log.100+ and above range? Leave the .gz ones alone as chrism01 stated?

audit.log
audit.log.1
audit.log.10
audit.log.100
...
audit.log.1.gz
audit.log.2
audit.log.20
audit.log.200
...
audit.log.299
audit.log.2.gz
audit.log.3
audit.log.30
audit.log.300
...

and so on.
 
Old 07-07-2011, 01:50 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,374
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Easiest would be to sort the list by modification time like 'stat -c "%y %x %z %n" 'X' audit.* | sort -k1' and then delete the oldest ones?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Distribution with auditing of packages lowlifeish Linux - Newbie 5 01-27-2010 08:40 PM
Linux Distribution with auditing of packages lowlifeish Linux - Distributions 1 01-05-2010 06:12 AM
Network Auditing tools in linux. akram Linux - Newbie 1 01-04-2010 12:41 AM
Linux Server Auditing mshajan Linux - Software 1 05-05-2005 01:37 PM
Harware auditing for Linux? vrillusions Linux - Hardware 0 04-06-2003 12:25 AM


All times are GMT -5. The time now is 02:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration