auditdistd - audit trail file retntion
Dan Langille
dan at langille.org
Tue Sep 28 14:34:49 UTC 2021
JB via freebsd-questions wrote on 9/22/21 6:54 PM:
> On Wednesday, September 22nd, 2021 at 4:58 AM, Dan Langille <dan at langille.org> wrote:
>
>> JB via freebsd-questions wrote on 9/21/21 6:37 PM:
>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>
>>>> Date: Mon, 20 Sep 2021 11:07:34 -0400
>>>> From: Dan Langille dan at langille.org
>>>> To: "freebsd-questions at freebsd.org" freebsd-questions at freebsd.org
>>>> Cc: Pawel Jakub Dawidek pjd at freebsd.org
>>>> Subject: auditdistd - audit trail file retntion
>>>>
>>>> Hello,
>>>>
>>>> I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit
>>>> trail files retention.
>>>>
>>>> Is there an option to dispose of older logs in /var/audit/dist ?
>>>>
>>>> So far, it seems like a custom cronjob is in order. Something like:
>>>>
>>>> ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \;
>>>>
>>>> FYI: I have read up about auditd, /etc/security/audit_control, and the
>>>>
>>>> audit -e option. They do not apply to auditdistd.
>>>>
>>>> Thank you.
>>>>
>>>> Dan Langille - dan at langille.org
>>>>
>>>> https://langille.org/
>>>>
>>>> Why not just use newsyslog to manage them for you? See newsyslog.conf(5) for details.
>> newsyslog is a great tool and I've used it for wide range of tasks, not
>> just log files.
>>
>> I use newsyslog when I can. My usual use cases include webserver logs.
>>
>> The characteristics of the data helps to understand why I think
>> newsyslog is not feasible here.
>>
>> auditdistd does its own rotation. The current log is:
>>
>> 20210920075929.not_terminated
>>
>> The previous log is 20210920075923.20210920075929.
>>
>> There are 457 log files for Sept 20:
>>
>> $ sudo ls -l /var/audit/dist/ | grep -c ' Sep 20'
>>
>> 457
>>
>> If I used a glob, it won't be a typical /var/audit/dist/*.log - it would
>> need to be * or something more complex.
>>
>> Can newsyslog duplicate the above find? That is, removing only files
>> older than 7 days?
>>
>> The when field may consist of an interval, a specific time, or both.
>>
>> If an interval is specified, the log file will be trimmed if that many
>> hours have passed since the last rotation. I can't see new syslog doing this.
>>
>> Thank you.
> It might still be possible to use newsyslog, but it doesn't match up well with your requirements (auditdistd rotates the logs, and the logs are not uniformly named). There might be an existing base program that can handle the task that I'm not aware of, but at this point I'd use the cron job you created.
>
This is what I'm using from a periodic daily script:
/usr/bin/find -E /var/audit/dist -type f -mtime +7 -regex
"/var/audit/dist/[0-9]+.[0-9]+" -exec rm {} \;
-E for extended (modern) regular expressions
-regex Specify the full path, because that's what regex uses:
"/var/audit/dist/[0-9]+.[0-9]+"
The regex is to avoid removing the '*.not_terminated' log file, which
can get to be many days old without being modified.
--
Dan Langille
dan at langille.org
More information about the freebsd-questions
mailing list