From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Flatley Subject: question Date: Fri, 31 Oct 2008 14:21:12 -0400 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1259484205==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m9VIqSoK010843 for ; Fri, 31 Oct 2008 14:52:28 -0400 Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.144]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m9VIqFHw016735 for ; Fri, 31 Oct 2008 14:52:15 -0400 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e4.ny.us.ibm.com (8.13.8/8.13.8) with ESMTP id m9VIqFPf018283 for ; Fri, 31 Oct 2008 14:52:15 -0400 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v9.1) with ESMTP id m9VIqFYa108578 for ; Fri, 31 Oct 2008 14:52:15 -0400 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id m9VIqFGo020969 for ; Fri, 31 Oct 2008 14:52:15 -0400 Received: from d01ml253.pok.ibm.com (d01ml253.pok.ibm.com [9.56.227.127]) by d01av04.pok.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id m9VIobiE016191 for ; Fri, 31 Oct 2008 14:52:12 -0400 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1259484205== Content-type: multipart/alternative; Boundary="0__=0ABBFE60DFF1988E8f9e8a93df938690918c0ABBFE60DFF1988E" Content-Disposition: inline --0__=0ABBFE60DFF1988E8f9e8a93df938690918c0ABBFE60DFF1988E Content-type: text/plain; charset=US-ASCII If you would indulge my simpler in comparison question of the group. I am setting up audit on heavy usage systems. I have setup my auditd.conf to rotate the files once they get to 70 meg and allow up to 12 rotated files. I created a cron that runs hourly to look and see if a ninth rotated file exists and if so run "ausearch -i" outputted to a file and store the file, then remove the rotated files. I run the cron to avoid losing data if there is alot of activity and rotated files are rolled off. I also have to balance performance with auditing in this arrangement. My question is: is there a better way to do this? Thanks. --0__=0ABBFE60DFF1988E8f9e8a93df938690918c0ABBFE60DFF1988E Content-type: text/html; charset=US-ASCII Content-Disposition: inline

If you would indulge my simpler in comparison question of the group. I am setting up audit
on heavy usage systems. I have setup my auditd.conf to rotate the files once they get to 70
meg and allow up to 12 rotated files. I created a cron that runs hourly to look and see if
a ninth rotated file exists and if so run "ausearch -i" outputted to a file and store the
file, then remove the rotated files. I run the cron to avoid losing data if there is alot of activity
and rotated files are rolled off. I also have to balance performance with auditing in this
arrangement.
My question is: is there a better way to do this?
Thanks. --0__=0ABBFE60DFF1988E8f9e8a93df938690918c0ABBFE60DFF1988E-- --===============1259484205== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1259484205==--