Retaining auditd logs for a year on RHEL machines

Latest response

Has anyone configured auditd to retain a year worth of compressed auditd logs on RHEL machines? If so, please share your input.


Hi Shisheer,

There are several possible scenarios:

a) One is described in Red Hat Knowledge Article, with idea how to implement audit log rotation with compression based on time instead of size:

b) Forward audit logs to syslog and manage retention periods any way one wishes.

c) Set up a centralized audit server. An example for bastioned centralized audit server with GroundWork open-source log monitoring:

d) Forward audit logs to remote servers. At one place I am familiar with, they forward those logs to ElasticSearch.


Dusan Baljevic (amateur radio VK2COT)