run script after auditd rotates logs

run script after auditd rotates logs

[Christiansen, Edward - 0992 - MITLL]

[-- Attachment #1.1: Type: text/plain, Size: 310 bytes --]

I would like to know if there is a way to tell auditd to run a script or 
command after it rotates its logs.  I can do this with logrotate, but would 
much prefer something native to auditd.  I spent some toime with Google and 
found only logrotate solutions.

Thanks,

Ed Christiansen
Millstone Hill SysAdmin

[-- Attachment #1.2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5669 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Re: run script after auditd rotates logs

[Burn Alting]

[-- Attachment #1.1: Type: text/plain, Size: 903 bytes --]

Ed,
One indirect way of achieving this is to author a script that	- sends SIGUSR1 to
the auditd process (which causes auditd to immediately rotate the logs. It will
consult the max_log_file_action to see if it should keep the logs or not.)	- do
whatever you need to do with the rolled over audit.log files
Clearly you only have access to the rolled over log files (given that's what you
want).
Rgds

On Sat, 2023-03-18 at 14:36 +0000, Christiansen, Edward - 0992 - MITLL wrote:
> I would like to know if there is a way to tell auditd to run a script or command
> after it rotates its logs.  I can do this with logrotate, but would much prefer
> something native to auditd.  I spent some toime with Google and found only
> logrotate solutions.
> Thanks,
> Ed ChristiansenMillstone Hill SysAdmin--Linux-audit mailing 
> listLinux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit

[-- Attachment #1.2: Type: text/html, Size: 1525 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

RE: run script after auditd rotates logs

[Christiansen, Edward - 0992 - MITLL]

[-- Attachment #1.1.1: Type: text/plain, Size: 1330 bytes --]

Thanks.  This is definitely the info I was looking for.



From: Burn Alting <burn.alting@iinet.net.au>
Sent: Saturday, March 18, 2023 9:26 PM
To: Christiansen, Edward - 0992 - MITLL <edwardc@ll.mit.edu>; 
linux-audit@redhat.com
Subject: Re: run script after auditd rotates logs



Ed,



One indirect way of achieving this is to author a script that

- sends SIGUSR1 to the auditd process (which causes auditd to immediately 
rotate the logs. It will consult the max_log_file_action to see if it should 
keep the logs or not.)

- do whatever you need to do with the rolled over audit.log files



Clearly you only have access to the rolled over log files (given that's what 
you want).



Rgds





On Sat, 2023-03-18 at 14:36 +0000, Christiansen, Edward - 0992 - MITLL wrote:

I would like to know if there is a way to tell auditd to run a script or
command after it rotates its logs.  I can do this with logrotate, but would
much prefer something native to auditd.  I spent some toime with Google and
found only logrotate solutions.

Thanks,

Ed Christiansen
Millstone Hill SysAdmin
--
Linux-audit mailing list

 <mailto:Linux-audit@redhat.com>

Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>





 <https://listman.redhat.com/mailman/listinfo/linux-audit>

https://listman.redhat.com/mailman/listinfo/linux-audit






[-- Attachment #1.1.2: Type: text/html, Size: 7996 bytes --]

[-- Attachment #1.2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5669 bytes --]

[-- Attachment #2: Type: text/plain, Size: 107 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit