Audit Storage Capacity

jaypas · 08-30-2010, 01:42 PM

Hi, all,
How do I calculate the values of num_logs and max_log_file in auditd.conf? Currently, num_logs is set to 4 and max_log_file is set to 5M. The logs are rotating too quickly.

Are there any guidelines on what the values and actions are in auditd.conf? I looked in the UNIX STIG, but I didn't find anything related to this.

Thanks,
Jaypas

unSpawn · 08-31-2010, 07:35 AM

Quote:

Originally Posted by jaypas

The logs are rotating too quickly.

By default /etc/audit/auditd.rules is empty so I'd say it depends on how many rules you've loaded and how many times they get tripped.

Quote:

Originally Posted by jaypas

Are there any guidelines on what the values and actions are in auditd.conf?

The manual page is pretty clear on things but you are not. Specific requirements and such. The more details the better.