Use logrotate for audit logs?

Use logrotate for audit logs?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 182 bytes --]

Is there any reason to not use logrotate for audit logs on RHEL 6? We'd
like to keep them fresh and compressed.

Thanks!

Leam

-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 397 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Use logrotate for audit logs?

[Simon Sekidde]

Hi Leam

----- Original Message -----
> From: "leam hall" <leamhall@gmail.com>
> To: linux-audit@redhat.com
> Sent: Wednesday, October 19, 2016 3:26:23 PM
> Subject: Use logrotate for audit logs?
> 
> Is there any reason to not use logrotate for audit logs on RHEL 6? We'd like
> to keep them fresh and compressed.
> 

This was discussed a while back 

https://www.redhat.com/archives/linux-audit/2012-November/msg00008.html

> Thanks!
> 
> Leam
> 
> --
> Mind on a Mission
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E 

Re: Use logrotate for audit logs?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 1100 bytes --]

On Wed, Oct 19, 2016 at 4:46 PM, Simon Sekidde <ssekidde@redhat.com> wrote:

> Hi Leam
>
> ----- Original Message -----
> > From: "leam hall" <leamhall@gmail.com>
> > To: linux-audit@redhat.com
> > Sent: Wednesday, October 19, 2016 3:26:23 PM
> > Subject: Use logrotate for audit logs?
> >
> > Is there any reason to not use logrotate for audit logs on RHEL 6? We'd
> like
> > to keep them fresh and compressed.
> >
>
> This was discussed a while back
>
> https://www.redhat.com/archives/linux-audit/2012-November/msg00008.html
>
> > Thanks!
> >
> > Leam
> >
> > --
> > Mind on a Mission
> >
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
>
> --
> Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
> gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E
>
>
Simon, thanks!

In this case, Steve talks about the system being taken down due to audit
logs filling up the volumes. When that's not the best idea for a server, it
looks like logrotate is a better choice.

Leam


-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 2434 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Use logrotate for audit logs?

[Ryan Sawhill]

[-- Attachment #1.1: Type: text/plain, Size: 589 bytes --]

On Thu, Oct 20, 2016 at 7:32 AM, leam hall <leamhall@gmail.com> wrote:

> In this case, Steve talks about the system being taken down due to audit
> logs filling up the volumes. When that's not the best idea for a server, it
> looks like logrotate is a better choice.


No. You misunderstand.
auditd CAN be configured to take the system down when there's no more space
for audit logs; it does not do this by default. (See auditd.conf's various
*_action directives, e.g., disk_full_action.) There is IMHO very little
reason to switch to using logrotate. Please check out `man auditd.conf`.

[-- Attachment #1.2: Type: text/html, Size: 921 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]