On Sat, Sep 4, 2010 at 1:52 PM, Dominick Grift <domg472@gmail.com> wrote:
On Sat, Sep 04, 2010 at 01:24:33PM -0400, Mike Williams wrote:
> Any idea why one box out of three would behave differently?  It is a
> worrisome difference.

Audit does not use logrotate to rotate logs. I think it does that itself. See /etc/audit/auditd.conf
Also the log can be rotated by running the auditd rc script: service auditd rotate

After lots of digging and, confirmed by your response, I now realize that logrotate is not being used.  The cron file I mentioned uses the command you mentioned (service auditd rotate) to rotate the logs.

I just compared /etc/auditd.conf and /etc/audit.rules on the system that was not rotating logs with one of the ones that has been rotating audit.log and they are identical.

So, for me, my original question remains a puzzle.  Why did it just work on two out of three boxes, but require adding a cron job to do "service auditd rotate" on the the third.  Murphy's Law is in force here, the system that has not been rotating the logs is the one that is the most important, at least in terms of the number of people who use it.

Mainly I'm concerned about what will happen on the update to f14, since the misbehaving system is now fixed.