Date: Wed, 22 Sep 2021 22:54:05 +0000 From: JB <freebsdlists.admin@protonmail.com> To: Dan Langille <dan@langille.org> Cc: freebsd-questions@freebsd.org Subject: Re: auditdistd - audit trail file retntion Message-ID: <v4632GyTjZmLX0I1eou7Dw-ittzfYz2hbkSjNdc9DMhzZ2aj16zaL0HCPgtwqrAHEMfYBvgNiH3a_quSP_s_VYjln-X2-j-uD-rTmsczI0Q=@protonmail.com> In-Reply-To: <b6529db9-8e0a-d501-4d96-6c729e935915@langille.org> References: <63FzSG9SYK55EYli0V-lgAHWQu0WKoRYoAz1IFKsq8kpIoC3TXLG765IctTawyK_DAYGU4yRzG_MPYFm6bfCujEEMLjPtLumNDhAUcsQO0E=@protonmail.com> <b6529db9-8e0a-d501-4d96-6c729e935915@langille.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday, September 22nd, 2021 at 4:58 AM, Dan Langille <dan@langille.o=
rg> wrote:
> JB via freebsd-questions wrote on 9/21/21 6:37 PM:
>
> > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origina=
l Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=
=90
> >
> > > Date: Mon, 20 Sep 2021 11:07:34 -0400
> > > From: Dan Langille dan@langille.org
> > > To: "freebsd-questions@freebsd.org" freebsd-questions@freebsd.org
> > > Cc: Pawel Jakub Dawidek pjd@freebsd.org
> > > Subject: auditdistd - audit trail file retntion
> > >
> > > Hello,
> > >
> > > I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit
> > > trail files retention.
> > >
> > > Is there an option to dispose of older logs in /var/audit/dist ?
> > >
> > > So far, it seems like a custom cronjob is in order. Something like:
> > >
> > > ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \;
> > >
> > > FYI: I have read up about auditd, /etc/security/audit_control, and th=
e
> > >
> > > audit -e option. They do not apply to auditdistd.
> > >
> > > Thank you.
> > >
> > > Dan Langille - dan@langille.org
> > >
> > > https://langille.org/
> > >
> > > Why not just use newsyslog to manage them for you? See newsyslog.conf=
(5) for details.
>
> newsyslog is a great tool and I've used it for wide range of tasks, not
> just log files.
>
> I use newsyslog when I can. My usual use cases include webserver logs.
>
> The characteristics of the data helps to understand why I think
> newsyslog is not feasible here.
>
> auditdistd does its own rotation. The current log is:
>
> 20210920075929.not_terminated
>
> The previous log is 20210920075923.20210920075929.
>
> There are 457 log files for Sept 20:
>
> $ sudo ls -l /var/audit/dist/ | grep -c ' Sep 20'
>
> 457
>
> If I used a glob, it won't be a typical /var/audit/dist/*.log - it would
> need to be * or something more complex.
>
> Can newsyslog duplicate the above find? That is, removing only files
> older than 7 days?
>
> The when field may consist of an interval, a specific time, or both.
>
> If an interval is specified, the log file will be trimmed if that many
> hours have passed since the last rotation. I can't see new syslog doing t=
his.
>
> Thank you.
It might still be possible to use newsyslog, but it doesn't match up well w=
ith your requirements (auditdistd rotates the logs, and the logs are not un=
iformly named). There might be an existing base program that can handle the=
task that I'm not aware of, but at this point I'd use the cron job you cre=
ated.
Sent with ProtonMail Secure Email.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v4632GyTjZmLX0I1eou7Dw-ittzfYz2hbkSjNdc9DMhzZ2aj16zaL0HCPgtwqrAHEMfYBvgNiH3a_quSP_s_VYjln-X2-j-uD-rTmsczI0Q=>