From owner-freebsd-questions@freebsd.org Tue Sep 28 14:34:49 2021 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 22CE767E426 for ; Tue, 28 Sep 2021 14:34:49 +0000 (UTC) (envelope-from dan@langille.org) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4HJhqD2hQvz3N4J for ; Tue, 28 Sep 2021 14:34:48 +0000 (UTC) (envelope-from dan@langille.org) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 57F2B5C0089; Tue, 28 Sep 2021 10:34:42 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Tue, 28 Sep 2021 10:34:42 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=langille.org; h= subject:to:cc:references:from:message-id:date:mime-version :in-reply-to:content-type:content-transfer-encoding; s=fm2; bh=Z 0RXMQ2rD7Eg4isukFsiAEG0AjTLXPRo8fias0jp6Yk=; b=arTABS/EXn2L2qR6m l+P6jKPA+0duFzEUJBhXKOzA92jApsYTvoLP/zQISEB+aEKJgy1gz5Jf5lHCF3LI C91EM1LuxtcB9z8iP/BRmFPaqAe6ZOZElYBWan2Jvs7wQaL7ePigK+6mD7rQaauH N7FlEJ9Mronwmr4IiYxISaZvV24GFtkhSla1W/EqADfqttVWS48t8Qdh9s3ClyAd gYgQl0BX7Thdjpg0w7VQZTyyJCgW8YqbVxGsMi43hatX8wHd0d/d9LIy8Wa5H/PG n9PeUsiDho4DbA6dYSlxc8smQqKZOd6C4pYKsHenvtQiYKHTX01zK74WkMr4cl8H 1FkWg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=Z0RXMQ2rD7Eg4isukFsiAEG0AjTLXPRo8fias0jp6 Yk=; b=AkmKEWFMoNZ+WmFeybeQbUu/GCOfb/ggmxCXPcyxV455+zx7Ndq1KjQoy VaxoljlxhgXC2ElVMG/MYU7mWhqePD7d6EVcX3uS/SB3At9Oj7diqpJKUxBBD1vh tf5IoP996c7tD4ibgkyfehy6cyDICm8JSOOXl3r9a0gOMPbnqZTfOqaYvAAbvKbB elkfCmWNpvnGNyMcGXUpwO6sekrifTkRPKll6INKjCHG49mhEWz39dyaBFj9Sl/X gJ9L0X3MPTpi937DP/litlWgm/wbhW0dnSXgOMbdEctLJrS6NIZDFkiGOSGASpuq SlEjPVLcNptpne/r9qcR/o0RwLgEQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudektddgjeegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefuvfhfhffkffgfgggjtgfgsehtke ertddtfeejnecuhfhrohhmpeffrghnucfnrghnghhilhhlvgcuoegurghnsehlrghnghhi lhhlvgdrohhrgheqnecuggftrfgrthhtvghrnhepffejffffgeeuiedtvdfhheejjedtte dtfeegtdefhfejieeuvedvueekledttdelnecuffhomhgrihhnpehlrghnghhilhhlvgdr ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe gurghnsehlrghnghhilhhlvgdrohhrgh X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 28 Sep 2021 10:34:42 -0400 (EDT) Subject: Re: auditdistd - audit trail file retntion To: JB Cc: freebsd-questions@freebsd.org References: <63FzSG9SYK55EYli0V-lgAHWQu0WKoRYoAz1IFKsq8kpIoC3TXLG765IctTawyK_DAYGU4yRzG_MPYFm6bfCujEEMLjPtLumNDhAUcsQO0E=@protonmail.com> From: Dan Langille Message-ID: <587952f9-71e1-590c-aacb-1a4c8be7e053@langille.org> Date: Tue, 28 Sep 2021 10:34:40 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.49 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Rspamd-Queue-Id: 4HJhqD2hQvz3N4J X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=langille.org header.s=fm2 header.b="arTABS/E"; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=AkmKEWFM; dmarc=pass (policy=none) header.from=langille.org; spf=pass (mx1.freebsd.org: domain of dan@langille.org designates 66.111.4.29 as permitted sender) smtp.mailfrom=dan@langille.org X-Spamd-Result: default: False [-5.10 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29]; RCVD_COUNT_THREE(0.00)[4]; DKIM_TRACE(0.00)[langille.org:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[langille.org,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[protonmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.0.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.29:from]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[langille.org:s=fm2,messagingengine.com:s=fm3]; FREEFALL_USER(0.00)[dan]; FROM_HAS_DN(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[66.111.4.29:from]; MAILMAN_DEST(0.00)[freebsd-questions] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Sep 2021 14:34:49 -0000 JB via freebsd-questions wrote on 9/22/21 6:54 PM: > On Wednesday, September 22nd, 2021 at 4:58 AM, Dan Langille wrote: > >> JB via freebsd-questions wrote on 9/21/21 6:37 PM: >> >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> >>>> Date: Mon, 20 Sep 2021 11:07:34 -0400 >>>> From: Dan Langille dan@langille.org >>>> To: "freebsd-questions@freebsd.org" freebsd-questions@freebsd.org >>>> Cc: Pawel Jakub Dawidek pjd@freebsd.org >>>> Subject: auditdistd - audit trail file retntion >>>> >>>> Hello, >>>> >>>> I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit >>>> trail files retention. >>>> >>>> Is there an option to dispose of older logs in /var/audit/dist ? >>>> >>>> So far, it seems like a custom cronjob is in order. Something like: >>>> >>>> ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \; >>>> >>>> FYI: I have read up about auditd, /etc/security/audit_control, and the >>>> >>>> audit -e option. They do not apply to auditdistd. >>>> >>>> Thank you. >>>> >>>> Dan Langille - dan@langille.org >>>> >>>> https://langille.org/ >>>> >>>> Why not just use newsyslog to manage them for you? See newsyslog.conf(5) for details. >> newsyslog is a great tool and I've used it for wide range of tasks, not >> just log files. >> >> I use newsyslog when I can. My usual use cases include webserver logs. >> >> The characteristics of the data helps to understand why I think >> newsyslog is not feasible here. >> >> auditdistd does its own rotation. The current log is: >> >> 20210920075929.not_terminated >> >> The previous log is 20210920075923.20210920075929. >> >> There are 457 log files for Sept 20: >> >> $ sudo ls -l /var/audit/dist/ | grep -c ' Sep 20' >> >> 457 >> >> If I used a glob, it won't be a typical /var/audit/dist/*.log - it would >> need to be * or something more complex. >> >> Can newsyslog duplicate the above find? That is, removing only files >> older than 7 days? >> >> The when field may consist of an interval, a specific time, or both. >> >> If an interval is specified, the log file will be trimmed if that many >> hours have passed since the last rotation. I can't see new syslog doing this. >> >> Thank you. > It might still be possible to use newsyslog, but it doesn't match up well with your requirements (auditdistd rotates the logs, and the logs are not uniformly named). There might be an existing base program that can handle the task that I'm not aware of, but at this point I'd use the cron job you created. > This is what I'm using from a periodic daily script:     /usr/bin/find -E /var/audit/dist -type f -mtime +7 -regex "/var/audit/dist/[0-9]+.[0-9]+" -exec rm {} \; -E for extended (modern) regular expressions -regex  Specify the full path, because that's what regex uses: "/var/audit/dist/[0-9]+.[0-9]+" The regex is to avoid removing the '*.not_terminated' log file, which can get to be many days old without being modified. -- Dan Langille dan@langille.org