All of lore.kernel.org
 help / color / mirror / Atom feed
* Log rotation issue
@ 2014-01-03 15:47 David Flatley
  2014-01-03 16:04 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: David Flatley @ 2014-01-03 15:47 UTC (permalink / raw)
  To: linux-audit


    Run audit on dozens of systems but this one system (Red Hat 6.4 64 bit
server Audit 2..2.2 ) does a strange thing. We use "/sbin/service auditd
rotate" as part of a script that runs in /etc/cron.daily to do the audit
extractions. When the /etc/audit/audit.log is rotated, all the entries in
the log after rotation have their date as 12/31/1969 19:00. And on top of
this there is a bunch of audit entries. Reviewing the log and the entries
go along normally but when it does this date thing the log blows up in
size. This is the same audit config I run on all the other RHEL 6 systems.
My understanding is that when auditd rotates the logs that there should not
be any further entries in the rotated log. Thoughts?



David Flatley
"To err is human. To really screw up requires the root password." -UNKNOWN

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Log rotation issue
  2014-01-03 15:47 Log rotation issue David Flatley
@ 2014-01-03 16:04 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2014-01-03 16:04 UTC (permalink / raw)
  To: David Flatley; +Cc: linux-audit

On Fri, 3 Jan 2014 10:47:31 -0500
David Flatley <dflatley@us.ibm.com> wrote:

>     Run audit on dozens of systems but this one system (Red Hat 6.4
> 64 bit server Audit 2..2.2 ) does a strange thing. We use
> "/sbin/service auditd rotate" as part of a script that runs
> in /etc/cron.daily to do the audit extractions. When
> the /etc/audit/audit.log is rotated,

/var/log/audit/audit.log I presume?


> all the entries in the log after
> rotation have their date as 12/31/1969 19:00.

Have you opened the log with vi and looked to see what the
date/timestamp is? I am wondering if its written that way or
interpreted that way.


> And on top of this
> there is a bunch of audit entries. Reviewing the log and the entries
> go along normally but when it does this date thing the log blows up
> in size. This is the same audit config I run on all the other RHEL 6
> systems. My understanding is that when auditd rotates the logs that
> there should not be any further entries in the rotated log.

Correct. The first thing it does is mark the log file readonly:
https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L701

If you are getting this, look down around line 776 in the above
referenced source code. It shows that you should be getting a message
logged into syslog that explains why rotation failed.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-01-03 16:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-03 15:47 Log rotation issue David Flatley
2014-01-03 16:04 ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.