On Wed, Mar 22, 2017 at 5:19 PM, warron.french <warron.french@gmail.com>
wrote:

> So, I needed a feature over 8 months ago, nobody could provide one for the
> following:
>        Rolling log files either when they hit a certain size or the day
> changed over at midnight.
>
> I know that I could have rolled the files at a specific size, by using the
> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
> but there was no "builtin" for managing auto rotation at the start of a new
> day (0000 hrs).
>
> It looks like there is a file called */usr/share/doc/auditd-<**version>*
> */auditd.cron*
>
> *.*
> To me*, *this file is new; considering I needed it 8 months ago.
>
> *Anyway, how is this file implemented? * Simply move it to a directory
> with permissions to execute; ensure it is executable and then simply set up
> a cronjob to execute it at whatever time of day that I wish?
>
> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> will the auditd.cron which executes as service auditd rotate still function
> properly?*
>


Steve covered the important parts, but for more hand-holding:

How to implement audit log rotation with compression based on time instead
of size <https://access.redhat.com/solutions/661603>