LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-15-2009, 12:04 PM   #1
Latte
LQ Newbie
 
Registered: Dec 2009
Posts: 15

Rep: Reputation: 0
wtmp and auth.log data retention


I'm looking through my wtmp and auth.log files on an Ubuntu 8.04 64-bit server install. The files don't contain much data beyond 60 days. I have looked in /etc/logrotat.d/ files to see if there is a limit set; however, I don't even find any settings specific to these logs.

Can someone tell me what the default data retention is for these logs, where that is stored, and how to change the default?

Thanks.
 
Old 12-15-2009, 02:16 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If no service-specific configuration files exist in /etc/logrotate.d, and they're not in /etc/logrotate.d/system for example, then check /etc/logrotate.conf?
 
Old 12-15-2009, 02:54 PM   #3
Latte
LQ Newbie
 
Registered: Dec 2009
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
If no service-specific configuration files exist in /etc/logrotate.d, and they're not in /etc/logrotate.d/system for example, then check /etc/logrotate.conf?
I found an entry in /etc/logrotate.conf as you suggested. It says:

/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}

So, if I understand this correctly, the wtmp files should be getting rotated every month; however, because of the "rotate 1" option I will only have one historical log (i.e., wtmp.1) at any given time.

Can I remove the "rotate 1" option to keep logs indefinitely? There isn't a great deal of login activity so filling up the drive isn't really a concern.

There is also an entry for /var/log/btmp which, as I understand it, is for bad login attempts and has the same settings as utmp. So, I want to remove the "rotate 1" option from it.

None of these has anything to do with the auth.log files, so I would still like to know where the settings for those are stored. I don't believe the system has been compromised, but the prior sys admin didn't leave on the best terms and I am wondering if he deleted them or if this is normal system behavior.

Thanks.
 
Old 12-15-2009, 03:58 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by Latte View Post
Can I remove the "rotate 1" option to keep logs indefinitely?
I haven't ever tried removing the statement to see if logrotation works.


Quote:
Originally Posted by Latte View Post
There isn't a great deal of login activity so filling up the drive isn't really a concern.
That could mean that if a great deal of login activity occurs a drive may fill up. In my opinion it would be better to ensure you have safe values instead. Calculate how much data it sees on average, add an estimated buffer amount then adjust your rotation pattern to that.


Quote:
Originally Posted by Latte View Post
None of these has anything to do with the auth.log files, so I would still like to know where the settings for those are stored.
/etc/cron\..*/sysklogd: see for example http://www.ducea.com/2006/06/06/rota...part-1-syslog/.


Quote:
Originally Posted by Latte View Post
I don't believe the system has been compromised
Alteration, misconfiguration, compromise are system states where terms like "worry", "concern", "think" or "believe" do not apply: ensure integrity instead by verifying package contents and visual inspection of configuration files.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Against data retention LXer Syndicated Linux News 0 11-07-2007 11:30 PM
LXer: On GPG and data retention LXer Syndicated Linux News 0 09-15-2007 05:41 PM
LXer: EU officials warn Google on search data retention LXer Syndicated Linux News 0 05-29-2007 10:16 AM
How to adjust log retention? kailun Linux - Security 1 02-22-2006 01:22 PM
/var/log/wtmp praveenv Linux - Newbie 5 08-23-2004 02:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration