auditdistd - audit trail file retntion

Dan Langille dan at langille.org
Tue Sep 28 21:24:53 UTC 2021


JB wrote on 9/28/21 5:18 PM:
> On Tuesday, September 28th, 2021 at 7:34 AM, Dan Langille <dan at langille.org> wrote:
> 
>>> Date: Mon, 20 Sep 2021 11:07:34 -0400
>>> From: Dan Langille dan at langille.org
>>> To: "freebsd-questions at freebsd.org" freebsd-questions at freebsd.org
>>> Cc: Pawel Jakub Dawidek pjd at freebsd.org
>>> Subject: auditdistd - audit trail file retntion
>>>
>>> Hello,
>>>
>>> I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit
>>> trail files retention.
>>>
>>> Is there an option to dispose of older logs in /var/audit/dist ?
>>>
>>> So far, it seems like a custom cronjob is in order. Something like:
>>>
>>> ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \;
>>>
>>> FYI: I have read up about auditd, /etc/security/audit_control, and the
>>> audit -e option. They do not apply to auditdistd.
>>>
>>> Thank you.
>>>
>> This is what I'm using from a periodic daily script:
>>
>>      /usr/bin/find -E /var/audit/dist -type f -mtime +7 -regex "/var/audit/dist/[0-9]+.[0-9]+" -exec rm {} \;
>>
>> Dan Langille
>>
>> dan at langille.org
> 
> Looks good. You can use the "-delete" flag instead of "-exec rm {} \;" but it shouldn't make much difference. Also, the `cron' default PATH includes /usr/bin, so you can probably just use `find' instead of absolute path (that's why the "-exec rm" isn't complaining about a missing `rm' program).
> 
> Again not that it makes much difference, but you can use the exclusion "!" flag to match the single "*.not_terminated" file, then nuke all other files inside that dir without needing the "-regex".
> 
> find /var/audit/dist/ ! -name "*.not_terminated" -type f -mtime +7 -delete

I'll keep the full path, just because. The -delete option is good. We 
will use that.

Getting rid of regex is good:

$ sudo /usr/bin/find /var/audit/dist ! -name "*.not_terminated" -type f 
-mtime +1
/var/audit/dist/999testingbydan88
/var/audit/dist/999.888
/var/audit/dist/999d

Once more, with a typo in the name

$ sudo /usr/bin/find /var/audit/dist ! -name "*.not_terminatedd" -type f 
-mtime +1
/var/audit/dist/20210920075929.not_terminated
/var/audit/dist/999testingbydan88
/var/audit/dist/999.888
/var/audit/dist/999d

Thank you.

-- 
Dan Langille
dan at langille.org


More information about the freebsd-questions mailing list