SUMMARY: audit log file maintenance

From: Senulis, Joseph A (Joseph.Senulis@dnr.state.wi.us)
Date: Fri Jan 31 2003 - 16:17:56 EST

• Next message: Kirkland, Mike # IHTUL: "what port does incoming requests for ssh arrive on?"
• Previous message: Teresa Biehler: "SUMMARY: Problem with digital unix, NFS and pico/pine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
     I only got one response on this, from Spider.Boardman. Although he was
addressing a slightly different issue, his code suggested some
clarifications in my thinking. In any event, we will not use auditlogtrim.
Instead, we will be rolling over the audit log file weekly and deleting logs
older than several weeks, relying on our backups to restore those older logs
when needed.
--Joe

> -----Original Message-----
> From: Senulis, Joseph A
> Sent: Monday, January 27, 2003 9:48 AM
> To: 'tru64-unix-managers@ornl.gov'
> Subject: audit log file maintenance
>
> Hi,
> What is the recommended method for maintaining the logs in
> /var/audit. I didn't see anything in the archives and the documentation
> is less than helpful.
>
> When the audit system is configured, a cron job runs
> /usr/lbin/auditlogtrim, every other month in our case. However, it
> doesn't seem to do much except roll over the log file, use up a lot of CPU
> and generate extra files. On some systems, it may run for a couple of
> days. Additionally, I have files that are more than two months old that
> never get deleted. (Aside: auditlogtrim contains code to delete old
> files, but the loop that supposedly removes files, which starts:
>
> AUDIT_TOOL="/usr/sbin/audit_tool"
> . . . . .
> FILES_TO_RM=$($AUDIT_TOOL -j $LAST_KEPT_EVENT_DATE $LOG_FILE) 2>>/dev/null
>
> don't seem to do anything. I do note that a man audit_tool does not list
> -j as being a valid option.)
>
> Rather than continue to trace the code, I was wondering if there was
> a better way to do things. My current thinking is to just roll over the
> log file periodically, perhaps weekly or monthly, and then just delete
> files older than a reasonable number of months. It would mean that I
> would have to work with multiple audit files when reviewing them, but that
> seems to be the case anyway.
>
> Any suggestions? I will summarize, although it may be a bit while I
> try out the suggestions. Thanks.
> --Joe

• Next message: Kirkland, Mike # IHTUL: "what port does incoming requests for ssh arrive on?"
• Previous message: Teresa Biehler: "SUMMARY: Problem with digital unix, NFS and pico/pine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:06 EDT