On Monday, November 23, 2020 9:21:56 AM EST Andreas Hasenack wrote: > I'm checking auditd's native logrotation mechanism. > > The auditd.conf manpage states this for num_logs: > > "The excess log check is only done on startup and when a > reconfigure results in a space check." > > I kept generating events, and truth be told, no rotation happened once > the logfile size was above max_log_file. At least not after a few > minutes.
Rotation is different than excess log checks. Log size checking is done every write. But this is only done when the daemon is not in debug mode and write_logs is not 0 and max_log_size_action is rotate and num_logs > 1. > When does a space check happens, besides on a restart? Just external > events likg SIGUSR1 and perhaps SIGHUP? Every 3 writes. > Since these are external events, how do sysadmins deal with log > rotation: completely ignore auditd's native mechanism and setup > logrotate as usual? Generally people fall into 3 camps. The first camp is they correctly configure the native implementation and just use it. The second camp need something special. They either set max_log_size_action to keeplogs and then handle it on a cron job where that may use checkpointing. And yet another group just sends events to syslog and handle it via splunk or elastic search. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
