I am trying to add secure and audit logs to logrotate for a client whom wants the logs for a period of 6 months, compressed/zipped weekly for auditing.
I am terrible with logrotate and since there isn't default settings for both logs, I created two new entries in my /etc/logrotate.d/ and soon I'll remove the secure logs from default syslog logrotate definition
Code:
# used by all secure logs
/var/log/secure
{
weekly
rotate 24
compress
notifempty
sharedscripts
postrotate
-------------------------->how do i reload secure logs?
endscript
}
#used by all audit.log
/var/log/audit/audit.log
{
weekly
rotate 24
compress
notifempty
sharedscripts
postrotate
-------------------------->how do i reload audit logs?
endscript
}
Could someone please check and ensure if this setting is correct? Also, how do I restart both logs after it has been compressed and store on the server? My syslog reads like this:
I meant to restart audit logs and secure logs at the end of the week, so it appends to a different file and the old logs are zipped
---------- Post updated at 05:59 PM ---------- Previous update was at 05:53 PM ----------
I just realised that it's easier to just add audit logs into the existing syslog logrotate definition (is that alright, or I will be facing problems later?)
I'm still not getting you fully. You want to rotate the logs every 6 months, but also on a weekly basis?
You can indeed use your current syslog and just add more logs to it; Keep in mind however that all other logs will also start to follow the same 6-month rotation rules. Mail spools for instance are prone to eat up large amounts of space when something goes wrong whith the mail daemon. The same is true for "messages" log file if it's keeping a record of debugging information.
Used space in /var depends on the size of the logs as well as the size of the filesystem. Without having a good understanding of your particular system it'd be hard to tell exactly what would be the best approach to follow in order to prevent disk saturation.
Last edited by verdepollo; 01-04-2012 at 03:19 PM..
1. to keep (certain system logs i.e-secure, messages, audit) logs for a period of 6 months (24 weeks)
Here's how I was planning on doing it
1. Rotate the logs for 24 weeks on weekly basis before removing them
2. But not before compressing the old logs weekly
So my logs would look like this
Code:
-rw------- 1 root root 1619422 Dec 5 04:02 messages.1.gz
-rw------- 1 root root 14822696 Dec 12 04:02 messages.2.gz
-rw------- 1 root root 15021180 Dec 19 04:02 messages.3.gz
-rw------- 1 root root 20300421 Dec 26 04:02 messages.4.gz
-rw------- 1 root root 13564183 Jan 2 11:52 messages.5.gz
-rw------- 1 root root 13564183 Jan 5 11:52 messages---------current log
The other way I was planning is it to rotate it on monthly basis:
1. Rotate the logs each month for 6 months before removing them
2. But not before compressing the old logs monthly
Code:
-rw------- 1 root root 1619422 Dec 2 04:02 messages.1.gz
-rw------- 1 root root 14822696 Jan 2 04:02 messages.2.gz
-rw------- 1 root root 15021180 Feb 2 04:02 messages.3.gz
-rw------- 1 root root 20300421 Mar 2 04:02 messages.4.gz
-rw------- 1 root root 13564183 Jan 2 11:52 messages.5.gz
-rw------- 1 root root 13564183 Jan 5 11:52 messages---------current log
Also I have about 4G of space on /var and if disk space is exhausted I can just add in another disk.
I know this will totally consume /var but they're really fussy about the logs so I have no choice but to keep them, however I can definitely housekeep these files if they grow too large and recall later from backup tapes..hope this is clear enough for your understanding
Well, seems you've already figured out how to solve it, am I right?
If you just want to hear an opinion, both options are OK. Try them both and see which one fits better to your preference. That's the beauty of linux, there are a plethora of ways to solve a single problem.
This User Gave Thanks to verdepollo For This Post:
no no! I just edited the current logs time stamps to show you the desired results.
I was hoping you could check if my syntax is correct, I logged a case with RHEL support and they refuse to check my syntax. Some policy with "no scripting"
Hi guys.
I have to set audit logs on certain events on a solaris 10 server.
While I had no problems on linux, I'm going crazy to do the same thing on solaris 10, since I don't have enough expertise on this OS .
I should be able to identify these 4 different events:
1: Tracking all... (2 Replies)
MyLOG:
2017/11/12 17:01:54.600 : Error: LPID: 3104680848 WRONG CRITERIA FOUND. tRealBuilder::Generate
Output Required:
If Ke word "WRONG CRITERIA FOUND" in latest log ( logs are regularly generating - real time) mail to us
once mailed wait for 2 hours for second mail.
mail subject... (3 Replies)
HI Community,
how can i configure audit logs for global zones and standard zone. i have enabled and started auditd service and it went to maintenance mode. please help me to configure that
Thanks & Regards,
BEn (9 Replies)
Hello All,
I'm using a RHEL6.4 on IBM X3850 X5 server. I want to get a comprehensive report containing disk-wise health status as well as overall server status.
I see there's utility "ibm_utl_dsa_dsytd3h-9.51_portable_rhel6_x86-64.bin" which is also used to do diagnostics tasks. I'm not sure of... (1 Reply)
Hello all,
I've configured 'audit' service to send the audit logs to a remote log server (by using syslog plugin), which is working fine.
However, there is a problem. audit service also tries to write same information (but in binary format) in /var/audit path.
So, Is there anyway to stop... (2 Replies)
Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Dear All
When I start the AIX(6100-06)audit subsystem.
the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB.
It will replace the original /audit/stream.out (or /audit/trail).
Then the /audit/stream.out become empty and... (2 Replies)
How do i find if audit logs is secured inside Solaris 10?
· Verify that that audit log files are secured and owned appropriately.
this is the question (1 Reply)
Folks
I am on a quest....
I am looking for a lightweight FTP client capable of FTPS and or SFTP that has good audit and logging capabilities without requiring a central server component. My platforms are Linux, Solaris, AIX, and Windows Server.
The kicker is I have found things that meet the... (3 Replies)
I am new to the world of Unix. As part of my understanding to have a big picture of Unix, I need to understand:
1. How to review the existing unix system or audit for the settings?
2. How do I go about fixing the holes? (4 Replies)
01-04-2012
