From: Senulis, Joseph A (Joseph.Senulis@dnr.state.wi.us)
Date: Mon Jan 27 2003 - 10:47:59 EST
Hi,
What is the recommended method for maintaining the logs in /var/audit.
I didn't see anything in the archives and the documentation is less than
helpful.
When the audit system is configured, a cron job runs
/usr/lbin/auditlogtrim, every other month in our case. However, it doesn't
seem to do much except roll over the log file, use up a lot of CPU and
generate extra files. On some systems, it may run for a couple of days.
Additionally, I have files that are more than two months old that never get
deleted. (Aside: auditlogtrim contains code to delete old files, but the
loop that supposedly removes files, which starts:
AUDIT_TOOL="/usr/sbin/audit_tool"
. . . . .
FILES_TO_RM=$($AUDIT_TOOL -j $LAST_KEPT_EVENT_DATE $LOG_FILE) 2>>/dev/null
don't seem to do anything. I do note that a man audit_tool does not list -j
as being a valid option.)
Rather than continue to trace the code, I was wondering if there was a
better way to do things. My current thinking is to just roll over the log
file periodically, perhaps weekly or monthly, and then just delete files
older than a reasonable number of months. It would mean that I would have
to work with multiple audit files when reviewing them, but that seems to be
the case anyway.
Any suggestions? I will summarize, although it may be a bit while I
try out the suggestions. Thanks.
--Joe
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:05 EDT