Date: Tue, 28 Sep 2021 17:24:49 -0400 From: Dan Langille <dan@langille.org> To: JB <freebsdlists.admin@protonmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: auditdistd - audit trail file retntion Message-ID: <402d471c-2193-49dd-525a-5da749139af9@langille.org> In-Reply-To: <DLShptKZG1uy-pkaC3TaStlywF7jXshKE465rL2Mq_BfnZUVLyPalv-Py6jDrsT-Hh1zXwkkeb_py6_Pkxdo9M1OoZbPtnFKYIRHfVLh8RY=@protonmail.com> References: <63FzSG9SYK55EYli0V-lgAHWQu0WKoRYoAz1IFKsq8kpIoC3TXLG765IctTawyK_DAYGU4yRzG_MPYFm6bfCujEEMLjPtLumNDhAUcsQO0E=@protonmail.com> <b6529db9-8e0a-d501-4d96-6c729e935915@langille.org> <v4632GyTjZmLX0I1eou7Dw-ittzfYz2hbkSjNdc9DMhzZ2aj16zaL0HCPgtwqrAHEMfYBvgNiH3a_quSP_s_VYjln-X2-j-uD-rTmsczI0Q=@protonmail.com> <587952f9-71e1-590c-aacb-1a4c8be7e053@langille.org> <DLShptKZG1uy-pkaC3TaStlywF7jXshKE465rL2Mq_BfnZUVLyPalv-Py6jDrsT-Hh1zXwkkeb_py6_Pkxdo9M1OoZbPtnFKYIRHfVLh8RY=@protonmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
JB wrote on 9/28/21 5:18 PM: > On Tuesday, September 28th, 2021 at 7:34 AM, Dan Langille <dan@langille.org> wrote: > >>> Date: Mon, 20 Sep 2021 11:07:34 -0400 >>> From: Dan Langille dan@langille.org >>> To: "freebsd-questions@freebsd.org" freebsd-questions@freebsd.org >>> Cc: Pawel Jakub Dawidek pjd@freebsd.org >>> Subject: auditdistd - audit trail file retntion >>> >>> Hello, >>> >>> I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit >>> trail files retention. >>> >>> Is there an option to dispose of older logs in /var/audit/dist ? >>> >>> So far, it seems like a custom cronjob is in order. Something like: >>> >>> ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \; >>> >>> FYI: I have read up about auditd, /etc/security/audit_control, and the >>> audit -e option. They do not apply to auditdistd. >>> >>> Thank you. >>> >> This is what I'm using from a periodic daily script: >> >> /usr/bin/find -E /var/audit/dist -type f -mtime +7 -regex "/var/audit/dist/[0-9]+.[0-9]+" -exec rm {} \; >> >> Dan Langille >> >> dan@langille.org > > Looks good. You can use the "-delete" flag instead of "-exec rm {} \;" but it shouldn't make much difference. Also, the `cron' default PATH includes /usr/bin, so you can probably just use `find' instead of absolute path (that's why the "-exec rm" isn't complaining about a missing `rm' program). > > Again not that it makes much difference, but you can use the exclusion "!" flag to match the single "*.not_terminated" file, then nuke all other files inside that dir without needing the "-regex". > > find /var/audit/dist/ ! -name "*.not_terminated" -type f -mtime +7 -delete I'll keep the full path, just because. The -delete option is good. We will use that. Getting rid of regex is good: $ sudo /usr/bin/find /var/audit/dist ! -name "*.not_terminated" -type f -mtime +1 /var/audit/dist/999testingbydan88 /var/audit/dist/999.888 /var/audit/dist/999d Once more, with a typo in the name $ sudo /usr/bin/find /var/audit/dist ! -name "*.not_terminatedd" -type f -mtime +1 /var/audit/dist/20210920075929.not_terminated /var/audit/dist/999testingbydan88 /var/audit/dist/999.888 /var/audit/dist/999d Thank you. -- Dan Langille dan@langille.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?402d471c-2193-49dd-525a-5da749139af9>