auditd process stops logging after logrotate script runs

Question

I am trying to use logrotate to keep audit logs for a set period of time rather than using auditd's special rotation (from /etc/audit/auditd.conf). I have changed the max_log_file_action to IGNORE in that file.

The following is my logrotate configuration:

/var/log/audit/audit.log {
    daily
    dateext
    rotate 180
    postrotate
        /bin/kill -HUP `cat /var/run/auditd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

The logs are rotated successfully. However, the audit daemon does not start logging again. /var/log/audit/audit.log remains empty until I restart the auditd service. I have also tried /bin/kill -USR1 and service auditd reload, but those options do not work well either. /bin/kill -USR1 actually keeps the audit daemon running, but it creates an empty audit.log.1 file.

Is there a way to successfully send a signal to the audit daemon to keep it running after logrotate?

Thanks.

score 1 · Answer 1 · answered Oct 21 '15 at 14:35

1

I believe that your kill command is actually failing to kill the process. Try the following:

/var/log/audit/audit.log {
    daily
    dateext
    rotate 180
    postrotate
        $(/bin/kill `cat /var/run/auditd.pid 2> /dev/null`)
        service auditd restart
    endscript
}

answered Oct 21 '15 at 14:35

brucegarro

11
1

1

If you use a service restart, I'd say you don't need to kill the process, right? – Tim Stoop Apr 14 '17 at 07:18

score 1 · Answer 2 · answered Jun 14 '17 at 02:26

Answering this due to a Community bump...

Auditd supports forced rotation via service auditd rotate command. You can combine this with a cron to run it based on time. (Daily, hourly, every Tuesday at 10:00 AM, etc.)

An example is included with the RPM at /usr/share/doc/audit-$version/auditd.cron.

auditd process stops logging after logrotate script runs

2 Answers2