* Audit log compression
@ 2018-06-27 17:11 Wyatt, Curtis R
2018-06-27 17:14 ` leam hall
0 siblings, 1 reply; 3+ messages in thread
From: Wyatt, Curtis R @ 2018-06-27 17:11 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 283 bytes --]
What is the best/preferred method for compressing audit logs?
I was thinking logrotate wouldn't work because auditd usually rotates it's own logs and is smarter about rotating logs (I.e., based on log size as opposed to having to wait before log rotate is kicked off).
Thanks
[-- Attachment #1.2: Type: text/html, Size: 572 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Audit log compression
2018-06-27 17:11 Audit log compression Wyatt, Curtis R
@ 2018-06-27 17:14 ` leam hall
0 siblings, 0 replies; 3+ messages in thread
From: leam hall @ 2018-06-27 17:14 UTC (permalink / raw)
To: linux-audit
logrotate can be configured nicely. First big step is looking at
what's going into the logs though. Are you logging at INFO level and
do you need that. I've seen that be 90% or more of the log entries.
On Wed, Jun 27, 2018 at 1:11 PM, Wyatt, Curtis R <Curtis.Wyatt@gd-ms.com> wrote:
> What is the best/preferred method for compressing audit logs?
>
> I was thinking logrotate wouldn't work because auditd usually rotates it's
> own logs and is smarter about rotating logs (I.e., based on log size as
> opposed to having to wait before log rotate is kicked off).
>
> Thanks
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Audit log compression
@ 2018-06-28 16:20 Wyatt, Curtis R
0 siblings, 0 replies; 3+ messages in thread
From: Wyatt, Curtis R @ 2018-06-28 16:20 UTC (permalink / raw)
To: leamhall; +Cc: linux-audit
Our audit.rules file is governed by requirements, so we cannot reduce the amount of log data being generated.
>logrotate can be configured nicely. First big step is looking at
>what's going into the logs though. Are you logging at INFO level and
>do you need that. I've seen that be 90% or more of the log entries.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-06-28 16:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-27 17:11 Audit log compression Wyatt, Curtis R
2018-06-27 17:14 ` leam hall
2018-06-28 16:20 Wyatt, Curtis R
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.