From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ryan Sawhill <rsawhill@redhat.com>
Subject: Re: auditd.cron
Date: Thu, 23 Mar 2017 10:45:25 -0400
Message-ID: <CAEkAO+xUNsk9zm0kD-CyK_eiR-xXcMia9n15StarWwEExJ0Vxg@mail.gmail.com>
References: <CAJdJdQk5oOLRHPsyJLbcGqzFy02uavgoKJh415QtrMLbMGbxgA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3550899975358437665=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com
	[10.5.110.27])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 845D77D67A
	for <linux-audit@redhat.com>; Thu, 23 Mar 2017 14:45:48 +0000 (UTC)
Received: from mail-oi0-f71.google.com (mail-oi0-f71.google.com
	[209.85.218.71])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id DC852804E5
	for <linux-audit@redhat.com>; Thu, 23 Mar 2017 14:45:47 +0000 (UTC)
Received: by mail-oi0-f71.google.com with SMTP id x203so133474300oig.2
	for <linux-audit@redhat.com>; Thu, 23 Mar 2017 07:45:46 -0700 (PDT)
In-Reply-To: <CAJdJdQk5oOLRHPsyJLbcGqzFy02uavgoKJh415QtrMLbMGbxgA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "warron.french" <warron.french@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============3550899975358437665==
Content-Type: multipart/alternative; boundary=001a11406d5aa5056f054b66ee8e

--001a11406d5aa5056f054b66ee8e
Content-Type: text/plain; charset=UTF-8

On Wed, Mar 22, 2017 at 5:19 PM, warron.french <warron.french@gmail.com>
wrote:

> So, I needed a feature over 8 months ago, nobody could provide one for the
> following:
>        Rolling log files either when they hit a certain size or the day
> changed over at midnight.
>
> I know that I could have rolled the files at a specific size, by using the
> *max_log_file* attribute as identified in the */etc/audit/auditd.conf*,
> but there was no "builtin" for managing auto rotation at the start of a new
> day (0000 hrs).
>
> It looks like there is a file called */usr/share/doc/auditd-<**version>*
> */auditd.cron*
>
> *.*
> To me*, *this file is new; considering I needed it 8 months ago.
>
> *Anyway, how is this file implemented? * Simply move it to a directory
> with permissions to execute; ensure it is executable and then simply set up
> a cronjob to execute it at whatever time of day that I wish?
>
> *Finally, if I have '-e 2' as the last control in the audit.rules file;
> will the auditd.cron which executes as service auditd rotate still function
> properly?*
>


Steve covered the important parts, but for more hand-holding:

How to implement audit log rotation with compression based on time instead
of size <https://access.redhat.com/solutions/661603>

--001a11406d5aa5056f054b66ee8e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote">On W=
ed, Mar 22, 2017 at 5:19 PM, warron.french <span dir=3D"ltr">&lt;<a href=3D=
"mailto:warron.french@gmail.com" target=3D"_blank">warron.french@gmail.com<=
/a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">=
<div dir=3D"ltr"><div><div><div><div><div><div>So, I needed a feature over =
8 months ago, nobody could provide one for the following:<br></div>=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Rolling log files either when they hit a cer=
tain size or the day changed over at midnight.<br><br></div>I know that I c=
ould have rolled the files at a specific size, by using the <b>max_log_file=
</b> attribute as identified in the <b>/etc/audit/auditd.conf</b>, but ther=
e was no &quot;builtin&quot; for managing auto rotation at the start of a n=
ew day (0000 hrs).<br><br></div>It looks like there is a file called <b>/us=
r/share/doc/auditd-&lt;</b><i>version<b><wbr>&gt;</b></i><b>/<span style=3D=
"color:rgb(255,0,255)">auditd.cron</span></b><i><b><span style=3D"color:rgb=
(255,0,255)">.<br><span style=3D"color:rgb(0,0,0)"><br></span></span></b></=
i></div><span style=3D"color:rgb(0,0,0)">To me<i><b>, </b></i>this file is =
new; considering I needed it 8 months ago.<br><br></span></div><span style=
=3D"color:rgb(0,0,0)"><span style=3D"color:rgb(153,0,255)"><b>Anyway, how i=
s this file implemented?=C2=A0</b></span> Simply move it to a directory wit=
h permissions to execute; ensure it is executable and then simply set up a =
cronjob to execute it at whatever time of day that I wish?<br><br></span></=
div><span style=3D"color:rgb(0,0,0)"><b><span style=3D"color:rgb(255,0,0)">=
Finally, if I have &#39;-e 2&#39; as the last control in the audit.rules fi=
le; will the auditd.cron which executes as service auditd rotate still func=
tion properly?</span></b></span><br></div></blockquote></div><br></div><div=
 class=3D"gmail_extra"><br>Steve covered the important parts, but for more =
hand-holding:<br><br><a href=3D"https://access.redhat.com/solutions/661603"=
>How to implement audit log rotation with compression based on time instead=
 of size</a><br></div></div>

--001a11406d5aa5056f054b66ee8e--


--===============3550899975358437665==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3550899975358437665==--