Home > IT Answers > Linux > Linux OS audit log retention
Crowe
5 pts.
 Linux OS audit log retention
Auditing Standards, Linux, Linux administration, Linux OS, RedHat, Redhat Linux, RHEL, RHEL 5
Question about Linux Redhat OS audit logs. Is anyone familiar with the audit.log.xxx and the audit.log.xxx.gz relation? I've been moving the logs in /var/log/audit off for retention but I think I might be doing it incorrectly by moving the gz files off to be backed up and also to make room on /var/log/audit volume. Does someone know which logs are OK to move off and which ones should be left alone? So the /var/log/audit volume does not fill up. Last week the /var/log/audit volume filled up. I've relocated audit logs in the 200 and 300 range to a larger partition but they are being recreated in the /var/log/audit folder. Here's a sample of what my /var/log/audit folder looks like. audit.log audit.log.1 audit.log.10

...

audit.log.199

audit.log.1.gz

audit.log.2

...

audit.log.299

audit.log.2.gz

audit.log.3

...

and so on    



Software/Hardware used:
Redhat RHEL 5
ASKED: July 6, 2011  1:59 PM
UPDATED: March 31, 2012  10:12 PM
RELATED QUESTIONS
Answer Wiki:
Well, your question is related rather to logrotate than to audit itself. Logrotate's task is to archive logs in some predefined intervals (daily, weekly, monthly), either plain or compressed (gzipped, bz2ipped) and to keep these archives for some predefined amount of time (month, year, forever). So, if you move your "numbered" archives, logrotate just reuses their numbers, not recreates them... For exact details look in /etc/logrotate.conf and in /etc/logrotate.d/audit - keep in mind, that general settings in the first file are "overpowered" by the settings in the second file. Anyway, simply moving files is not an option - better change settings to keep in log folder a limited amount of backlogs (audit can -and should - be very "noisy"), and use cron job for copying the oldest logs to a safe location.
Last Wiki Answer Submitted:  July 7, 2011  2:01 pm  by  petkoa   3,120 pts.
All Answer Wiki Contributors:  petkoa   3,120 pts.
To see all answers submitted to the Answer Wiki: View Answer History.


RSS - Discussions Help
Discuss This Question:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _