Hello,

Am Montag, 25. April 2016, 19:29:06 CEST schrieb Carlos E. R.:
> On 2016-04-25 17:47, Christian Boltz wrote:
> > aa-logprof will read the log again every time you run it, which
> > means it sees the "old" event again.
> 
> I thought it used some kind of timestamp to only scan new events.

aa-logprof doesn't do that. It simply scans the whole logfile (unless you 
use the -m option).

aa-genprof does use a timestamp (basically the time it was started or 
the last line seen by "(S)can logfile").

> > To get rid of the repeated questions, rotate the old audit.log away:
> >     old /var/log/audit/audit.log   # will rename it to
> >     audit.log-$date
> >     rcauditd restart
> 
> That's a new command for me, "old". However, the logfiles there have a
> different rotate method:
> 
> Telcontar:/var/log/audit # ls
> audit.log  audit.log.1  audit.log.2  audit.log.3  audit.log.4
> 
> No date stamp, so I can't use "old".

Right, you won't get audit.log-$date automatically deleted because that 
doesn't match the .1 etc suffix.,  so I agree it's exactly not what the 
normal audit.log rotation does. 

Nevertheless, 'old' is the easiest way to rename a logfile ;-)

> Mmmm, "rcauditd" does not exist. auditd.service  does.

One of the funny bugs caused by switching to systemd. 

It only needed a bugreport to get rcaudit back in later releases. 
Also, I manually re-added it on my 13.1 servers (as  symlink to 
/sbin/service), so for me it's always available ;-)


Regards,

Christian Boltz
-- 
> Using the internet since 28.8kbit. Yes, I'm 'old'.
My first modem was 300 bits/sec, you young whipper snapper!  ;-)
[> Yamaban and James Knott in opensuse-factory]

_______________________________________________
Evergreen mailing list
Evergreen@lists.rosenauer.org
http://lists.rosenauer.org/mailman/listinfo/evergreen

Reply via email to