Quote:
Originally Posted by flatplane
I try to be PCI compliant.
|
Next time please try to be complete in your original post (OP) when presenting your problem.
Quote:
Originally Posted by flatplane
Audispd restarted alone does not work anymore.
|
Did it ever? That would be absolutely wrong for the reasons I gave...
Quote:
Originally Posted by flatplane
The problem is when audit.log rotation occurs, syslog-ng looses the inode and does not anymore follow-up the records.
|
Syslog implementations respond to signals like "HUP" with reopening log files. Check if Syslog-NG does that too. Auditd responds to SIGUSR1 and SIGUSR2 for rotating logs and resuming logging. So with those you have full control over
when you want to rotate logs (if you configure audit properly) if you're thinking of replacing default rotate behaviour with a cronjob in which you can govern both Syslog-NG and Auditd. (To avoid missing logs during rotation raise the kernel backlog buffers ("-b") in /etc/audit/audit.rules from 64 1K buffers to the maximum of 99.) Did you look into audisp remote logging directly using the "audisp-remote" plugin? BTW how much logs do you keep? And what's their file sizes?
Back to check killing of audisp, given the default af_unix plugin using the /var/run/audispd_events socket, you could poll it (something like '/sbin/fuser /var/run/audispd_events') for usage and respond to that?