[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Audit logs rotation problem



On Tue, 22 May 2012 10:58:26 -0400, Steve Grubb <sgrubb redhat com>
wrote:
> On Monday, May 21, 2012 09:11:51 AM Nicolas GORALSKI wrote:
>> Hi all
>>
>> I've a got a problem on my audit log rotation.
>>
>> Because we've got a lot of logs on our server (a little bit of rules
>> and lot of activities), we've decided to rotate logs every hours to
>> compress, backup and delete them.
>> I'm using the command "/etc/init.d/auditd rotate" to rotate them, no
>> other commands.
>>
>> By the way we have some errors, sometimes logs are rotated twice.
>>
>> The rotation job was successful and we have as a result this
>> compressed file :
>> audit_20120507-0940--20120507-1040.log.gz
>>
>> The file contain in the firts line this information about the previous
>> rotation at 9h40
>> type=DAEMON_ROTATE msg=audit(1336376401.094:8139): auditd sending
>> auid=0 pid=20084 subj=root:system_r:initrc_t:s0
>>
>> But we have a second file created a few seconds after the previous one
>> named : audit_20120507-1040--20120507-1040.log.gz
>>
>> The first line contain this text :
>> type=DAEMON_ROTATE msg=audit(1336380001.723:8140): auditd error
>> getting usr1 info - no change, sending auid=? pid=? subj=? res=failed
> 
> Whenever a signal comes in for log rotation, the audit system needs
> to find out
> who asked for it. So, it queries the kernel. In this case its saying
> it couldn't
> figure out who asked for the rotation - which is unusual. This almost
> looks like
> 2 signals came in or something to that effect.
> 
> -Steve


This is weird because my script of rotation is composed of : 

/etc/init.d/auditd rotate
sleep 30

Any other idea about that, it's weird !!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]