Log rotation and client disconnects
LC Bruzenak
lenny at magitekltd.com
Thu Aug 12 15:57:20 UTC 2010
On Thu, 2010-08-12 at 11:16 -0400, rshaw1 at umbc.edu wrote:
> > On Thursday, August 12, 2010 10:02:29 am rshaw1 at umbc.edu wrote:
> >> I've discovered the issue since I sent it, anyway. If num_logs is set
> >> to
> >> 0, auditd will ignore explicit requests to rotate the logs. I guess
> >> this
> >> may be intentional, but it's unfortunate as num_logs caps at 99 and I
> >> need
> >> to keep 365 of them.
> >
> > Have you looked at the keep_logs option for max_log_file_action?
>
> I did, but the man page states that keep_logs is similar to rotate, so it
> sounds like if I used this option, it would still rotate the log file if
> it went above the max_log_file size, which I don't want to happen. I
> suppose I could just set max_log_file to 99999 or something (if that's
> supported). Typically, uncompressed log files for ~400 clients on the
> central server end up being around 3-4Gb.
>
> Thanks for all the help so far; I think I'm almost there.
>
> --Ray
Do you not want to rotate because of the time it takes?
Yep, the keep_logs does a rotate without a limit.
The max_log_file value is an unsigned long so it should take a very
large number. However, in case there is a lot of auditing you are not
prepared for, I'd suggest limiting the file size to 2GB. The rotate time
should be similar regardless of the file size.
BTW, in what a time period are you getting the 3-4GB amounts? Are you
happy with the data you are getting - or maybe you could pare it down
some with audit.rules tweaks on the senders?
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list