In the last episode (Sep 02), Kurt Buff said: > On Wed, Sep 2, 2009 at 00:23, Mark Stapper<st...@mapper.nl> wrote: > > Kurt Buff wrote: > >> I traced it down, and found out that he had not logged in on Sunday. > >> The auth.log is, as you can see from the listing below, quite old. The > >> entries referenced above are from two years ago. > >> > >> zmx1# ll /var/log/a* > >> -rw------- 1 root wheel 71845 Sep 1 15:42 /var/log/auth.log > >> -rw------- 1 root wheel 6087 Aug 29 2007 /var/log/auth.log.0.bz2 > >> -rw------- 1 root wheel 5774 Aug 12 2007 /var/log/auth.log.1.bz2 > >> -rw------- 1 root wheel 5795 Jul 24 2007 /var/log/auth.log.2.bz2 > >> -rw------- 1 root wheel 6813 Jul 6 2007 /var/log/auth.log.3.bz2 > >> > >> So, a couple of questions: > >> > >> Why would the daily security run pick up something from *two years ago* > >> and only report it again today? The machine hasn't been rebooted in a > >> very long time, if that makes a difference. > >> > >> Is there any way to prevent something like this happening again - or > >> perhaps can I force the entry of the year into the date field for the > >> auth.log entries? > > > > If you look at the syntax of the logfile, you will see no year is > > listed. Most likely the whole file is parsed on security run. Since > > the logfile has been rotated the 30th of august 2007, it's very much > > possible you'll get all your messages all over again. Perhaps it's wise > > to rotate you logfiles once a year just in case... And it make no > > difference the machine hasn't been rebooted in a very long time... > > (define "very long time" ;-) http://uptimes-project.org/hosts/view/150 ) > > Heh. Well, for me a very long time is more than a year, because > security patches for the OS will at some point mandate a reboot - and > usually in less than a year. > > I suppose there's a way to do auth log rotation automagically - would > that be sysutils/logrotate?
The system already rotates auth.log. Just edit /etc/newsyslog.conf and add a date check to the line for auth.log. The default is to roll it when it hits 100KB, but if you add something like $M1D0 to the "when" column it'll rotate it monthly as well. -- Dan Nelson dnel...@allantgroup.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"