How to implement audit log rotation with compression based on time instead of size

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (All versions)

Issue

  • How to rotate audit logs daily?
  • Why audit logs are rotated after 6 MB of size? We want them to rotate based on a cron job like /var/log/messages.
  • How can we configure audit log compression?
  • What is the supported method for audit log rotation and compression?

Resolution

Disclaimer: The following information has been provided by Red Hat, but is outside the scope of the posted Service Level Agreements and support procedures. The information is provided as-is and any configuration settings or installed applications made from the information in this article could make the Operating System unsupported by Red Hat Global Support Services. The intent of this article is to provide information to accomplish the system's needs. Use of the information in this article at the user's own risk.

By default, auditd in all versions of Red Hat Enterprise Linux rotates its own log files automatically when they reach a certain size, as determined by the max_log_file setting in auditd.conf (which defaults to 6 megabytes)

Replacing auto-rotation based on size with auto-rotation based on time

  1. Disable rotation in /etc/audit/auditd.conf so that:

    max_log_file_action = ignore
    
  2. Tell auditd to reconfigure itself (applying your changes) by doing one of the following:
    kill -HUP $(pidof auditd)   (Any version)
    systemctl reload auditd   (RHEL7)
    service auditd reload   (RHEL6 and earlier)

  3. To manually trigger auditd to rotate, it needs to receive a USR1 signal
    Simple solution for daily rotation: copy auditd.cron to cron.daily

    ~]# cp /usr/share/doc/audit-*/auditd.cron /etc/cron.daily
    ~]# chmod +x /etc/cron.daily/auditd.cron
    ~]# cat /etc/cron.daily/auditd.cron
    #!/bin/sh
    
    ##########
    # This script can be installed to get a daily log rotation
    # based on a cron job.
    ##########
    
    /sbin/service auditd rotate
    EXITVALUE=$?
    if [ $EXITVALUE != 0 ]; then
        /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]"
    fi
    exit 0
    

Implementing log compression

auditd does not support log compression; however, it's trivial to update the above script to rename old audit.log.n files and compress them. A working example is provided for demonstration purposes.

  1. Follow the steps above to disable auto-rotation based on size

  2. Replace the previously-created script with the following code:

    #!/bin/bash
    export PATH=/sbin:/bin:/usr/sbin:/usr/bin
    
    FORMAT="%F_%T"  # Customize timestamp format as desired, per `man date`
                    # %F_%T will lead to files like: audit.log.2015-02-26_15:43:46
    COMPRESS=gzip   # Change to bzip2 or xz as desired
    KEEP=5          # Number of compressed log files to keep
    ROTATE_TIME=5   # Amount of time in seconds to wait for auditd to rotate its logs. Adjust this as necessary
    
    rename_and_compress_old_logs() {
        for file in $(find /var/log/audit/ -name 'audit.log.[0-9]'); do
            timestamp=$(ls -l --time-style="+${FORMAT}" ${file} | awk '{print $6}')
            newfile=${file%.[0-9]}.${timestamp}
            # Optional: remove "-v" verbose flag from next 2 lines to hide output
            mv -v ${file} ${newfile}
            ${COMPRESS} -v ${newfile}
        done
    }
    
    delete_old_compressed_logs() {
        # Optional: remove "-v" verbose flag to hide output
        rm -v $(find /var/log/audit/ -regextype posix-extended -regex '.*audit\.log\..*(xz|gz|bz2)$' | sort -n | head -n -${KEEP})
    }
    
    rename_and_compress_old_logs
    service auditd rotate
    sleep $ROTATE_TIME
    rename_and_compress_old_logs
    delete_old_compressed_logs
    
  3. Modify the declarations of FORMAT, COMPRESS, and KEEP as desired

  4. Ensure the script is marked executable and set it to be called by cron at desired times (either via a normal cron job or by putting it in cron.daily as demonstrated above)

    Note: The script may output a warning; this is expected behavior:

    rm: missing operand
    Try 'rm --help' for more information.
    

    This is due to the first execution, when no log was ever rotated, causing the rm in delete_old_compressed_logs() to fail (find returns nothing).

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments