Retaining auditd logs for a year on RHEL machines

Latest response

Has anyone configured auditd to retain a year worth of compressed auditd logs on RHEL machines? If so, please share your input.

Responses

Hi Shisheer,

There are several possible scenarios:

a) One is described in Red Hat Knowledge Article, with idea how to implement audit log rotation with compression based on time instead of size:

https://access.redhat.com/solutions/661603

b) Forward audit logs to syslog and manage retention periods any way one wishes.

c) Set up a centralized audit server. An example for bastioned centralized audit server with GroundWork open-source log monitoring:

https://www.sans.org/reading-room/whitepapers/logging/creating-bastioned-centralized-audit-server-groundwork-open-source-log-monitoring-event-signatures-34157

d) Forward audit logs to remote servers. At one place I am familiar with, they forward those logs to ElasticSearch.

Regards,

Dusan Baljevic (amateur radio VK2COT)