Thanks Steve for the suggestion. Unfortunately, even with my script
sending USR2 to auditd, i still get the same behavior where the
space_left_action=exec call to the script only happens once.
Thoughts?
Bond
On 01/25/2017 10:22 PM, Steve Grubb wrote:
Hello,
On Wed, 25 Jan 2017 15:06:50 -0800
Bond Masuda <[email protected]> wrote:
I configured space_left and space_left_action to run a script that
compresses and moves older audit log files from /var/log/audit. It
appears to work 1 time, and then doesn't work anymore until I kill
the auditd daemon and start it again.
Is this expected and/or desired behavior? I didn't see anything in
the man pages about this behavior. I was hoping to have my script run
every time the space_left threshold is hit so as to not run out of
logging disk space. Is there something I can do to accomplish this?
You may need to send SIGUSR2 to `pidof auditd` to reset the internal
counters. Let me know if that does not fix it.
-Steve
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
