Audit logs rotation problem
Nicolas GORALSKI
nicolas+rh-auditd at goralski.fr
Wed May 23 13:37:05 UTC 2012
On Tue, 22 May 2012 10:58:26 -0400, Steve Grubb <sgrubb at redhat.com>
wrote:
> On Monday, May 21, 2012 09:11:51 AM Nicolas GORALSKI wrote:
>> Hi all
>>
>> I've a got a problem on my audit log rotation.
>>
>> Because we've got a lot of logs on our server (a little bit of rules
>> and lot of activities), we've decided to rotate logs every hours to
>> compress, backup and delete them.
>> I'm using the command "/etc/init.d/auditd rotate" to rotate them, no
>> other commands.
>>
>> By the way we have some errors, sometimes logs are rotated twice.
>>
>> The rotation job was successful and we have as a result this
>> compressed file :
>> audit_20120507-0940--20120507-1040.log.gz
>>
>> The file contain in the firts line this information about the previous
>> rotation at 9h40
>> type=DAEMON_ROTATE msg=audit(1336376401.094:8139): auditd sending
>> auid=0 pid=20084 subj=root:system_r:initrc_t:s0
>>
>> But we have a second file created a few seconds after the previous one
>> named : audit_20120507-1040--20120507-1040.log.gz
>>
>> The first line contain this text :
>> type=DAEMON_ROTATE msg=audit(1336380001.723:8140): auditd error
>> getting usr1 info - no change, sending auid=? pid=? subj=? res=failed
>
> Whenever a signal comes in for log rotation, the audit system needs
> to find out
> who asked for it. So, it queries the kernel. In this case its saying
> it couldn't
> figure out who asked for the rotation - which is unusual. This almost
> looks like
> 2 signals came in or something to that effect.
>
> -Steve
This is weird because my script of rotation is composed of :
/etc/init.d/auditd rotate
sleep 30
Any other idea about that, it's weird !!
More information about the Linux-audit
mailing list