RedHat Linux audit log rotation

On ReadHat Linux, by default, security-relevant system logs are written to /var/log/secure and /var/log/audit/audit.log. And like other system logs, they need to be maintained (aka rotated) to make sure you don’t see a disk space issue.

For audit log, it is managed differently. It has a configuration file /etc/audit/auditd.conf which determines how audit log is managed. For example:

  1. max_log_file — the maxium size of log file in megabytes.
  2. max_log_file_action — what action to take when the system has detected that the max file size limit has been reached. Valid values are ignoresyslogsuspendrotate and keep_logs. if set to ignore, the audit daemon does nothing. syslog means issuing a warning to syslog. The rotate option will cause the audit daemon to rotate the logs. The keep_logs option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten
  3. num_logs — the number of log files to keep if rotate is given as the max_log_file_action.
  4. log_file — the full path name of audit log.

You can use “man auditd.conf” to see full descriptions of all parameters.

Note, on my Linux 8 system, after changing max_log_file_action to rotate, reload doesn’t work for manual rotation:

root@joetestvm:/var/log/audit# systemctl reload auditd
Failed to reload auditd.service: Job type reload is not applicable for unit auditd.service.

However, using “kill -HUP” works and make the audit log rotate based on max size reached. If the log size is not reached, “kill -HUP” won’t do anything. but “service auditd rotate” will make it rotate.

root@joetestvm:/var/log/audit# du -sh *
11G     audit.log
8.1M    audit.log.1
8.1M    audit.log.2
8.1M    audit.log.3
8.1M    audit.log.4

root@joetestvm:/var/log/audit# ps -ef|grep auditd
root         192       2  0 Feb09 ?        00:04:24 [kauditd]
root        1349       1  2 Feb09 ?        00:52:58 /sbin/auditd
root     2160672    2501  0 14:10 pts/0    00:00:00 grep --color=auto auditd

root@joetestvm:/var/log/audit# kill -HUP 1349

root@joetestvm:/var/log/audit# du -sh *
1.6M    audit.log
11G     audit.log.1
8.1M    audit.log.2
8.1M    audit.log.3
8.1M    audit.log.4

Rotate with “/sbin/service auditd rotate”

root@joetestvm:/var/log/audit# /sbin/service auditd rotate
Rotating logs:                                             [  OK  ]
root@joetestvm:/var/log/audit# du -sh *
448K    audit.log
5.6M    audit.log.1
8.1M    audit.log.2
11G     audit.log.3
8.1M    audit.log.4

If you would like to rotate the audit log base on time (like dailty) instead of based on size. Copy the file from /usr/share/doc/audit/auditd.cron to /etc/cron.daily/

root@SADVLPRPADBS01:/etc/logrotate.d# cat /usr/share/doc/audit/auditd.cron

root@joetestvm:/var/log/audit# cat /usr/share/doc/audit/auditd.cron
#!/bin/sh

##########
# This script can be installed to get a daily log rotation
# based on a cron job.
##########

/sbin/service auditd rotate
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0

If you would like to compress the old files as well, please see the article referenced below.

For /var/log/secure, it is rotated daily by logrotate using cron.daily.

root@joetestvm:~# ls -lart /etc/cron.daily/logrotate
-rwxr-xr-x. 1 root root 189 Jan  4  2018 /etc/cron.daily/logrotate
root@joetestvm:~# cat /etc/cron.daily/logrotate
#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit $EXITVALUE

And by default, it is grouped in /etc/logrotate.d/syslog:

logrotate has its own configuration file logrotate.conf under /etc/ which control how often it rotates logs (although it runs every day), how long logs are kept, if they are compressed etc. Also fine control files under /etc/logrotate.d. For example, /var/log/secure is grouped in /etc/logrotate.d/syslog by default:

root@joetestvm:/etc/logrotate.d# cat syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}

However, I’ve noticed it doesn’t work well with the default configuration because when lots of informations is written into the secure file and the size grows rapidly while the default rotation schedule will try to rotate once a week and keep 4 weeks data.

For this scenario, it’s better to create a seperate section for /var/log/secure:

root@joetestvm:/etc/logrotate.d# cat syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/spooler
{
    missingok
    sharedscripts
    postrotate
        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
    endscript
}

/var/log/secure {
    missingok
    minsize 1M
    maxsize 100M
    rotate 5
}

You can also do a manual rotation after the change. “-v” verbose. “-d” debug. And check man page of logrotate for more information.

root@joetestvm:/etc/logrotate.d# logrotate -d /etc/logrotate.d/syslog
root@joetestvm:/etc/logrotate.d# logrotate /etc/logrotate.conf

Reference:

https://access.redhat.com/solutions/661603

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s