Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Sep 2021 07:58:13 -0400
From:      Dan Langille <dan@langille.org>
To:        JB <freebsdlists.admin@protonmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: auditdistd - audit trail file retntion
Message-ID:  <b6529db9-8e0a-d501-4d96-6c729e935915@langille.org>
In-Reply-To: <63FzSG9SYK55EYli0V-lgAHWQu0WKoRYoAz1IFKsq8kpIoC3TXLG765IctTawyK_DAYGU4yRzG_MPYFm6bfCujEEMLjPtLumNDhAUcsQO0E=@protonmail.com>
References:  <63FzSG9SYK55EYli0V-lgAHWQu0WKoRYoAz1IFKsq8kpIoC3TXLG765IctTawyK_DAYGU4yRzG_MPYFm6bfCujEEMLjPtLumNDhAUcsQO0E=@protonmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
JB via freebsd-questions wrote on 9/21/21 6:37 PM:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
>> Date: Mon, 20 Sep 2021 11:07:34 -0400
>> From: Dan Langille dan@langille.org
>> To: "freebsd-questions@freebsd.org" freebsd-questions@freebsd.org
>> Cc: Pawel Jakub Dawidek pjd@freebsd.org
>> Subject: auditdistd - audit trail file retntion
>> Hello,
>> I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit
>> trail files retention.
>> Is there an option to dispose of older logs in /var/audit/dist ?
>>
>> So far, it seems like a custom cronjob is in order. Something like:
>>
>> ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \;
>>
>> FYI: I have read up about auditd, /etc/security/audit_control, and the
>> audit -e option. They do not apply to auditdistd.
>>
>> Thank you.
>>
>> Dan Langille - dan@langille.org
>> https://langille.org/
> Why not just use newsyslog to manage them for you? See newsyslog.conf(5) for details.
newsyslog is a great tool and I've used it for wide range of tasks, not 
just log files.

I use newsyslog when I can. My usual use cases include webserver logs.

The characteristics of the data helps to understand why I think 
newsyslog is not feasible here.

auditdistd does its own rotation. The current log is: 
20210920075929.not_terminated

The previous log is 20210920075923.20210920075929.

There are 457 log files for Sept 20:

$ sudo ls -l /var/audit/dist/ | grep -c ' Sep 20'
457

If I used a glob, it won't be a typical /var/audit/dist/*.log - it would 
need to be * or something more complex.

Can newsyslog duplicate the above find? That is, removing only files 
older than 7 days?

The when field may consist of an interval, a specific time, or both.

If an interval is specified, the log file will be trimmed if that many 
hours have passed since the
last rotation. I can't see new syslog doing this.

Thank you.
-- 
Dan Langille
dan@langille.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b6529db9-8e0a-d501-4d96-6c729e935915>