On Tue, 22 May 2012 10:58:26 -0400, Steve Grubb <[email protected]> wrote: > On Monday, May 21, 2012 09:11:51 AM Nicolas GORALSKI wrote: >> Hi all >> >> I've a got a problem on my audit log rotation. >> >> Because we've got a lot of logs on our server (a little bit of rules >> and lot of activities), we've decided to rotate logs every hours to >> compress, backup and delete them. >> I'm using the command "/etc/init.d/auditd rotate" to rotate them, no >> other commands. >> >> By the way we have some errors, sometimes logs are rotated twice. >> >> The rotation job was successful and we have as a result this >> compressed file : >> audit_20120507-0940--20120507-1040.log.gz >> >> The file contain in the firts line this information about the previous >> rotation at 9h40 >> type=DAEMON_ROTATE msg=audit(1336376401.094:8139): auditd sending >> auid=0 pid=20084 subj=root:system_r:initrc_t:s0 >> >> But we have a second file created a few seconds after the previous one >> named : audit_20120507-1040--20120507-1040.log.gz >> >> The first line contain this text : >> type=DAEMON_ROTATE msg=audit(1336380001.723:8140): auditd error >> getting usr1 info - no change, sending auid=? pid=? subj=? res=failed > > Whenever a signal comes in for log rotation, the audit system needs > to find out > who asked for it. So, it queries the kernel. In this case its saying > it couldn't > figure out who asked for the rotation - which is unusual. This almost > looks like > 2 signals came in or something to that effect. > > -Steve
This is weird because my script of rotation is composed of : /etc/init.d/auditd rotate sleep 30 Any other idea about that, it's weird !! -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
