Date: Wed, 22 Sep 2021 07:58:13 -0400 From: Dan Langille <dan@langille.org> To: JB <freebsdlists.admin@protonmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: auditdistd - audit trail file retntion Message-ID: <b6529db9-8e0a-d501-4d96-6c729e935915@langille.org> In-Reply-To: <63FzSG9SYK55EYli0V-lgAHWQu0WKoRYoAz1IFKsq8kpIoC3TXLG765IctTawyK_DAYGU4yRzG_MPYFm6bfCujEEMLjPtLumNDhAUcsQO0E=@protonmail.com> References: <63FzSG9SYK55EYli0V-lgAHWQu0WKoRYoAz1IFKsq8kpIoC3TXLG765IctTawyK_DAYGU4yRzG_MPYFm6bfCujEEMLjPtLumNDhAUcsQO0E=@protonmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
JB via freebsd-questions wrote on 9/21/21 6:37 PM:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
>> Date: Mon, 20 Sep 2021 11:07:34 -0400
>> From: Dan Langille dan@langille.org
>> To: "freebsd-questions@freebsd.org" freebsd-questions@freebsd.org
>> Cc: Pawel Jakub Dawidek pjd@freebsd.org
>> Subject: auditdistd - audit trail file retntion
>> Hello,
>> I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit
>> trail files retention.
>> Is there an option to dispose of older logs in /var/audit/dist ?
>>
>> So far, it seems like a custom cronjob is in order. Something like:
>>
>> ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \;
>>
>> FYI: I have read up about auditd, /etc/security/audit_control, and the
>> audit -e option. They do not apply to auditdistd.
>>
>> Thank you.
>>
>> Dan Langille - dan@langille.org
>> https://langille.org/
> Why not just use newsyslog to manage them for you? See newsyslog.conf(5) for details.
newsyslog is a great tool and I've used it for wide range of tasks, not
just log files.
I use newsyslog when I can. My usual use cases include webserver logs.
The characteristics of the data helps to understand why I think
newsyslog is not feasible here.
auditdistd does its own rotation. The current log is:
20210920075929.not_terminated
The previous log is 20210920075923.20210920075929.
There are 457 log files for Sept 20:
$ sudo ls -l /var/audit/dist/ | grep -c ' Sep 20'
457
If I used a glob, it won't be a typical /var/audit/dist/*.log - it would
need to be * or something more complex.
Can newsyslog duplicate the above find? That is, removing only files
older than 7 days?
The when field may consist of an interval, a specific time, or both.
If an interval is specified, the log file will be trimmed if that many
hours have passed since the
last rotation. I can't see new syslog doing this.
Thank you.
--
Dan Langille
dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b6529db9-8e0a-d501-4d96-6c729e935915>