LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page The auditd daemon stops logging after deleting audit.log until auditd is restarted
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-20-2013, 11:55 AM   #1
Latitude
Member
 
Registered: Mar 2009
Posts: 65

Rep: Reputation: 16
The auditd daemon stops logging after deleting audit.log until auditd is restarted

I am using Red Hat Enterprise Linux Server 6.1 and must copy audit.log files on a weekly basis to DVD and save them off on another audit log backup server. After clearing (deleting using rm -Rf) audit.log files and without restarting the auditd daemon, I noticed the server doesn't log any more events until I restart the auditd daemon (by rebooting). Is this typical of auditd to stop logging once audit.log has been deleted, requiring the daemon to be restarted?
 
Old 06-20-2013, 01:05 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Processes usually don't agree with you deleting open files without closing the file descriptor properly. On top of that the auditd service comes with its own log rotation options (as in maybe use those instead). And RHEL 6 has been at Update 4 for some time now.
 
Old 06-20-2013, 03:10 PM   #3
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
I believe you are supposed to send auditd a "SIGUSR1" signal to tell it to rotate logs. You can then do whatever you want to the old log.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Auditd file logging not logging daemon processes Charles Darwin Linux - Newbie 5 04-24-2013 06:14 PM
pam_tally2 and auditd - failed logins do not make it to audit.log aj33 Linux - Security 7 11-15-2012 01:42 PM
auditd: auditd startup failed cmschube Red Hat 2 05-11-2009 07:08 AM
auditd audit.log not display date or user mccartjd Linux - Security 10 06-11-2008 08:17 PM
Auditd Daemon Threshold xmdms Linux - Software 0 08-02-2006 06:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:48 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration