We recently realized that our current configuration for auditd was causing our /var/log/audit filesystem to become full so I started to play around with the /etc/audit/auditd.conf file to try to fix that. I modified the conf file to look like this:
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 4
max_log_file_action = ROTATE
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = halt
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
But the files in /var/log/audit are still becoming larger than what is set in max_log_file (size in MB)
root@my-server:~# ls -lah /var/log/audit/
total 18M
drwx------ 3 root root 3.0K Apr 22 13:17 .
drwxrwxr-x 12 root syslog 4.0K Apr 22 03:13 ..
-rw------- 1 root root 4.2M Apr 22 13:35 audit.log
-r-------- 1 root root 4.1M Apr 22 13:17 audit.log.1
-r-------- 1 root root 4.0M Apr 22 11:22 audit.log.2
-r-------- 1 root root 5.0M Apr 22 11:39 audit.log.3
drwx------ 2 root root 12K Feb 4 10:44 lost+found
The one that is 4.0M I rotated manually by running auditd by itself. While troubleshooting this it lead me to wonder, what is watching this directory that sends the notification to auditd to rotate the logs when the current audit.log is at the maximum size? The only process that's running that I found that I think could be doing that is
root 149689 0.0 0.2 11580 2568 ? S<sl 11:43 0:00 /sbin/auditd -n
But it doesn't seem to be working how I think it should.
-h
would say around4.1M
, it should be4194304
or a few hundreds more or less, which seems OK for the 3 newer files. The older file, could be created before you change the configuration, are you sure it's not? After waiting for some time, do all go to~4.1
? – thanasisp Apr 23 '22 at 01:00