Am Montag, 25. April 2016, 19:29:06 CEST schrieb Carlos E. R.:
> On 2016-04-25 17:47, Christian Boltz wrote:
> > aa-logprof will read the log again every time you run it, which
> > means it sees the "old" event again.
> I thought it used some kind of timestamp to only scan new events.
aa-logprof doesn't do that. It simply scans the whole logfile (unless you
use the -m option).
aa-genprof does use a timestamp (basically the time it was started or
the last line seen by "(S)can logfile").
> > To get rid of the repeated questions, rotate the old audit.log away:
> > old /var/log/audit/audit.log # will rename it to
> > audit.log-$date
> > rcauditd restart
> That's a new command for me, "old". However, the logfiles there have a
> different rotate method:
> Telcontar:/var/log/audit # ls
> audit.log audit.log.1 audit.log.2 audit.log.3 audit.log.4
> No date stamp, so I can't use "old".
Right, you won't get audit.log-$date automatically deleted because that
doesn't match the .1 etc suffix., so I agree it's exactly not what the
normal audit.log rotation does.
Nevertheless, 'old' is the easiest way to rename a logfile ;-)
> Mmmm, "rcauditd" does not exist. auditd.service does.
One of the funny bugs caused by switching to systemd.
It only needed a bugreport to get rcaudit back in later releases.
Also, I manually re-added it on my 13.1 servers (as symlink to
/sbin/service), so for me it's always available ;-)
> Using the internet since 28.8kbit. Yes, I'm 'old'.
My first modem was 300 bits/sec, you young whipper snapper! ;-)
[> Yamaban and James Knott in opensuse-factory]
Evergreen mailing list