2

Can auditd use a date instead of an integer to name its rotated audit logs? Right now I have

audit.log
audit.log.1
audit.log.2
...

When audit.log fills up all of the files are rotated one number higher. I have a script that backs up the audit logs, and tar gets confused when it sees all the files move underneath it. I'd like to name the files by date so that they don't all get moved when audit.log fills up.

spiffytech
  • 1,043
  • 2
  • 11
  • 16

1 Answers1

5

auditd can't do this. Its built in log rotation works by size, not by date.

You should be able to turn off auditd's built in log rotation, and then configure logrotate to rotate its logs. It does name files by date. In /etc/audit/auditd.conf:

num_logs = 0

In /etc/logrotate.d/auditd (tune as you wish):

/var/log/audit/audit.log {
    daily
    missingok
    notifempty
    sharedscripts
    rotate 2
    compress
    delaycompress
    postrotate
        /usr/bin/systemctl kill -s USR1 auditd.service >/dev/null 2>&1 || true
    endscript
}

(The USR1 signal tells auditd to rotate its logs. Since it is configured not to rotate its logs itself, this just causes it to open a new log, which occurs just after logrotate has rotated the log.)

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940