Hi, first let me thank Hannes for releasing aide 0.18 which makes it possible to handle logs in a way that avoids false reports while still providing some security for the logs. I really appreciate that.
The aide.conf(5) manual page has grown a number of examples to handle a normal log that gets rotated like this: logname => daemon writes to it logname.1 => rotated log first generation logname.2.gz => rotated log compressed to next generation logname.x.gz => logs being rotated until numbers of rotations is reached logname.xmax.gz => file vanishes after rotation On my test systems this is working reasonably well. Now on to more challenging things. On my webservers, there is an anonymizing step included where a filter resets the low bits of the IP address to de-personalize the data. Additionally, some web server logs can go for days without a single entry. This is done with the following logrotate configuration: /var/log/apache/access.log { missingok daily rotate 14 compress compresscmd /usr/local/bin/compress-and-anonymize-log compressext .gz delaycompress create 640 root adm sharedscripts postrotate <systemctl reload apache2, scaffolding see Debian package> for file in $1; do printf "::1 - - log %s was rotated on %s\n" "${file}" "$(date +"%Y-%m-%d %H:%M:%S")" > ${file}; done endscript } Lets give a short explanation for the less obvious parts of the configuration. /usr/local/bin/compress-and-anonymize-log is a shell script that basically is python3 /usr/local/bin/anonip.py u-ipv4mask 8 --ipv6mask 72 \ --column 1 --replace 0.0.0.0 | gzip -9 So when logrotate works, apache.log.1 is first passed through anonip.py (which is from https://github.com/DigitaleGesellschaft/Anonip.git), then compressed with gzip -9 and finally written to apache.log.2.gz. All other log rotation generations are handled identically to the normal case. However, since the contents of the file is changed during the anonymizing process, aide's "compressed" file attribut cannot do its work. Another necessary trick is the forced generation of a first log line with valid timestamp in the postrotate script. This is necessary for a server that may go without a single log entry between two rotations (such as for error.log or some fallback catch-all log files) to force all generations of the log to be different. Aide's "ignored change filename" attribute will choke on a row of identical, empty files. Here is my suggestion to handle this kind of log rotation: Full = p+u+g+ftype+n+i+s+b+l+X+m+c+H /var/log/apache$ d p+u+g+ftype+n+i+X /var/log/apache/access\\.log$ f Full+growing+ANF+I /var/log/apache/access\\.log\\.1$ f Full+ARF /var/log/apache/access\\.log\\.2\\.gz$ f Full+I+ANF /var/log/apache/access\\.log\\.([3-9]|1[0-3])\\.gz$ f Full+I /var/log/apache/access\\.log\\.14\\.gz$ f Full+ARF This seems to work reasonably well for a few days, but I am not fully sure whether those rules can be improved. May I ask for your comments? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 _______________________________________________ Aide mailing list Aide@ipi.fi https://www.ipi.fi/mailman/listinfo/aide