Hi, I'm checking auditd's native logrotation mechanism.
The auditd.conf manpage states this for num_logs: "The excess log check is only done on startup and when a reconfigure results in a space check." I kept generating events, and truth be told, no rotation happened once the logfile size was above max_log_file. At least not after a few minutes. When does a space check happens, besides on a restart? Just external events likg SIGUSR1 and perhaps SIGHUP? Since these are external events, how do sysadmins deal with log rotation: completely ignore auditd's native mechanism and setup logrotate as usual? -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
