LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   wtmp and auth.log data retention (https://www.linuxquestions.org/questions/linux-security-4/wtmp-and-auth-log-data-retention-775833/)

Latte 12-15-2009 12:04 PM
wtmp and auth.log data retention
 
I'm looking through my wtmp and auth.log files on an Ubuntu 8.04 64-bit server install. The files don't contain much data beyond 60 days. I have looked in /etc/logrotat.d/ files to see if there is a limit set; however, I don't even find any settings specific to these logs.

Can someone tell me what the default data retention is for these logs, where that is stored, and how to change the default?

Thanks.

unSpawn 12-15-2009 02:16 PM
If no service-specific configuration files exist in /etc/logrotate.d, and they're not in /etc/logrotate.d/system for example, then check /etc/logrotate.conf?

Latte 12-15-2009 02:54 PM
Quote:
Originally Posted by unSpawn (Post 3792655)
If no service-specific configuration files exist in /etc/logrotate.d, and they're not in /etc/logrotate.d/system for example, then check /etc/logrotate.conf?
I found an entry in /etc/logrotate.conf as you suggested. It says:

/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

So, if I understand this correctly, the wtmp files should be getting rotated every month; however, because of the "rotate 1" option I will only have one historical log (i.e., wtmp.1) at any given time.

Can I remove the "rotate 1" option to keep logs indefinitely? There isn't a great deal of login activity so filling up the drive isn't really a concern.

There is also an entry for /var/log/btmp which, as I understand it, is for bad login attempts and has the same settings as utmp. So, I want to remove the "rotate 1" option from it.

None of these has anything to do with the auth.log files, so I would still like to know where the settings for those are stored. I don't believe the system has been compromised, but the prior sys admin didn't leave on the best terms and I am wondering if he deleted them or if this is normal system behavior.

Thanks.

unSpawn 12-15-2009 03:58 PM
Quote:
Originally Posted by Latte (Post 3792696)
Can I remove the "rotate 1" option to keep logs indefinitely?
I haven't ever tried removing the statement to see if logrotation works.


Quote:
Originally Posted by Latte (Post 3792696)
There isn't a great deal of login activity so filling up the drive isn't really a concern.
That could mean that if a great deal of login activity occurs a drive may fill up. In my opinion it would be better to ensure you have safe values instead. Calculate how much data it sees on average, add an estimated buffer amount then adjust your rotation pattern to that.


Quote:
Originally Posted by Latte (Post 3792696)
None of these has anything to do with the auth.log files, so I would still like to know where the settings for those are stored.
/etc/cron\..*/sysklogd: see for example http://www.ducea.com/2006/06/06/rota...part-1-syslog/.


Quote:
Originally Posted by Latte (Post 3792696)
I don't believe the system has been compromised
Alteration, misconfiguration, compromise are system states where terms like "worry", "concern", "think" or "believe" do not apply: ensure integrity instead by verifying package contents and visual inspection of configuration files.


All times are GMT -5. The time now is 10:56 AM.