Linux OS audit log retention

5 pts.
Tags:
Auditing
Linux
Linux administration
Linux OS
Red Hat Enterprise Linux
RedHat
RHEL 5
Question about Linux Redhat OS audit logs. Is anyone familiar with the audit.log.xxx and the audit.log.xxx.gz relation? I've been moving the logs in /var/log/audit off for retention but I think I might be doing it incorrectly by moving the gz files off to be backed up and also to make room on /var/log/audit volume. Does someone know which logs are OK to move off and which ones should be left alone? So the /var/log/audit volume does not fill up. Last week the /var/log/audit volume filled up. I've relocated audit logs in the 200 and 300 range to a larger partition but they are being recreated in the /var/log/audit folder. Here's a sample of what my /var/log/audit folder looks like. audit.log audit.log.1 audit.log.10

...

audit.log.199

audit.log.1.gz

audit.log.2

...

audit.log.299

audit.log.2.gz

audit.log.3

...

and so on    



Software/Hardware used:
Redhat RHEL 5

Answer Wiki

Thanks. We'll let you know when a new response is added.

Well, your question is related rather to logrotate than to audit itself. Logrotate’s task is to archive logs in some predefined intervals (daily, weekly, monthly), either plain or compressed (gzipped, bz2ipped) and to keep these archives for some predefined amount of time (month, year, forever). So, if you move your “numbered” archives, logrotate just reuses their numbers, not recreates them…

For exact details look in /etc/logrotate.conf and in /etc/logrotate.d/audit – keep in mind, that general settings in the first file are “overpowered” by the settings in the second file. Anyway, simply moving files is not an option – better change settings to keep in log folder a limited amount of backlogs (audit can -and should – be very “noisy”), and use cron job for copying the oldest logs to a safe location.

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Crowe
    [...] Petkoa shared some knowledge on Linux OS audit log retention. 6. CiscoOne gave some major differences in IPv4 and IPv6. Have any to add to the [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following