On Thu, 2010-08-12 at 11:16 -0400, [email protected] wrote: > > On Thursday, August 12, 2010 10:02:29 am [email protected] wrote: > >> I've discovered the issue since I sent it, anyway. If num_logs is set > >> to > >> 0, auditd will ignore explicit requests to rotate the logs. I guess > >> this > >> may be intentional, but it's unfortunate as num_logs caps at 99 and I > >> need > >> to keep 365 of them. > > > > Have you looked at the keep_logs option for max_log_file_action? > > I did, but the man page states that keep_logs is similar to rotate, so it > sounds like if I used this option, it would still rotate the log file if > it went above the max_log_file size, which I don't want to happen. I > suppose I could just set max_log_file to 99999 or something (if that's > supported). Typically, uncompressed log files for ~400 clients on the > central server end up being around 3-4Gb. > > Thanks for all the help so far; I think I'm almost there. > > --Ray
Do you not want to rotate because of the time it takes? Yep, the keep_logs does a rotate without a limit. The max_log_file value is an unsigned long so it should take a very large number. However, in case there is a lot of auditing you are not prepared for, I'd suggest limiting the file size to 2GB. The rotate time should be similar regardless of the file size. BTW, in what a time period are you getting the 3-4GB amounts? Are you happy with the data you are getting - or maybe you could pare it down some with audit.rules tweaks on the senders? LCB. -- LC (Lenny) Bruzenak [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
