space_left_action=exec only works once?
Stephen Buchanan
stephenwb at gmail.com
Thu Jan 26 20:08:42 UTC 2017
My thought: If Steve is able to help you fix the behavior, then great.
Otherwise, pivot.
Instead of using the space_left_action in auditd, use logrotate and have it
check for max log size. Put your script in the postrotate section if more
logic than what is provided with logrotate is needed.
Stephen
On Thu, Jan 26, 2017 at 2:41 PM Bond Masuda <bond.masuda at jlbond.com> wrote:
> Thanks Steve for the suggestion. Unfortunately, even with my script
> sending USR2 to auditd, i still get the same behavior where the
> space_left_action=exec call to the script only happens once.
>
> Thoughts?
> Bond
>
>
> On 01/25/2017 10:22 PM, Steve Grubb wrote:
> > Hello,
> >
> > On Wed, 25 Jan 2017 15:06:50 -0800
> > Bond Masuda <bond.masuda at jlbond.com> wrote:
> >> I configured space_left and space_left_action to run a script that
> >> compresses and moves older audit log files from /var/log/audit. It
> >> appears to work 1 time, and then doesn't work anymore until I kill
> >> the auditd daemon and start it again.
> >>
> >> Is this expected and/or desired behavior? I didn't see anything in
> >> the man pages about this behavior. I was hoping to have my script run
> >> every time the space_left threshold is hit so as to not run out of
> >> logging disk space. Is there something I can do to accomplish this?
> > You may need to send SIGUSR2 to `pidof auditd` to reset the internal
> > counters. Let me know if that does not fix it.
> >
> > -Steve
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170126/ee3d6d15/attachment.htm>
More information about the Linux-audit
mailing list