Log rotation issue
Steve Grubb
sgrubb at redhat.com
Fri Jan 3 16:04:33 UTC 2014
On Fri, 3 Jan 2014 10:47:31 -0500
David Flatley <dflatley at us.ibm.com> wrote:
> Run audit on dozens of systems but this one system (Red Hat 6.4
> 64 bit server Audit 2..2.2 ) does a strange thing. We use
> "/sbin/service auditd rotate" as part of a script that runs
> in /etc/cron.daily to do the audit extractions. When
> the /etc/audit/audit.log is rotated,
/var/log/audit/audit.log I presume?
> all the entries in the log after
> rotation have their date as 12/31/1969 19:00.
Have you opened the log with vi and looked to see what the
date/timestamp is? I am wondering if its written that way or
interpreted that way.
> And on top of this
> there is a bunch of audit entries. Reviewing the log and the entries
> go along normally but when it does this date thing the log blows up
> in size. This is the same audit config I run on all the other RHEL 6
> systems. My understanding is that when auditd rotates the logs that
> there should not be any further entries in the rotated log.
Correct. The first thing it does is mark the log file readonly:
https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L701
If you are getting this, look down around line 776 in the above
referenced source code. It shows that you should be getting a message
logged into syslog that explains why rotation failed.
-Steve
More information about the Linux-audit
mailing list