On Sat, Sep 4, 2010 at 1:52 PM, Dominick Grift <domg472(a)gmail.com> wrote:
On Sat, Sep 04, 2010 at 01:24:33PM -0400, Mike Williams wrote:
>
> Any idea why one box out of three would behave differently? It is a
> worrisome difference.
Audit does not use logrotate to rotate logs. I think it does that itself.
See /etc/audit/auditd.conf
Also the log can be rotated by running the auditd rc script: service auditd
rotate
After lots of digging and, confirmed by your response, I now realize that
logrotate is not being used. The cron file I mentioned uses the command you
mentioned (service auditd rotate) to rotate the logs.
I just compared /etc/auditd.conf and /etc/audit.rules on the system that was
not rotating logs with one of the ones that has been rotating audit.log and
they are identical.
So, for me, my original question remains a puzzle. Why did it just work on
two out of three boxes, but require adding a cron job to do "service auditd
rotate" on the the third. Murphy's Law is in force here, the system that
has not been rotating the logs is the one that is the most important, at
least in terms of the number of people who use it.
Mainly I'm concerned about what will happen on the update to f14, since the
misbehaving system is now fixed.
Mike