On Tuesday, September 07, 2010 10:55:18 am Daniel J Walsh wrote: > > So, for me, my original question remains a puzzle. Why did it just work > > on two out of three boxes, but require adding a cron job to do "service > > auditd rotate" on the the third. Murphy's Law is in force here, the > > system that has not been rotating the logs is the one that is the most > > important, at least in terms of the number of people who use it.
There is no telling without access to your system. This is not a known bug in the audit system that is similar to what is described. So I would expect another explanation. Perhaps the other systems have enough events that the audit system is rotating the logs. The audit system rotates based on log size and not time of day. Logrotate has never been configured to do log rotation for the audit system because of conflicting requirements of the audit daemon needing to take special actions based on disk full and other errors vs simple rotation. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
