Re: run script after auditd rotates logs

Sat, 18 Mar 2023 19:17:44 -0700 

 Here is what I've done to manage audit log files in systems I build.You can 
leverage this, and add your other things after the 'service auditd 
rotate'.Would that work for you?
-Joe

#!/bin/bash

# Reference:  https://access.redhat.com/solutions/661603
PATH='/sbin:/bin:/usr/sbin:/usr/bin'

# auditd log rotation -- This file located in /etc/cron.daily/auditd.cron

FORMAT='+%Y%m%d_%H%M%S'  # Customize timestamp format as desired, per 'man 
date'.
COMPRESS='gzip'          # Change to bzip2 or xz, if desired.
Cext='gz'                # Change to match file EXTENSION for the compression 
used.
KEEP=10                  # Number of compressed log files to keep.
ROTATE_TIME=30           # Amount of time in seconds to wait for auditd to 
rotate its logs; adjust this as necessary.

function rename_and_compress_old_logs() { for file in $(find /var/log/audit/ 
-type f -regextype posix-extended -regex  '.*audit.log.[0-9]{1,}$'); do
                                              timestamp="$(ls -l 
--time-style=${FORMAT} ${file} | awk '{print $6}')"
                                              
newfile="${file%.[0-9]}.${timestamp}"
                                              mv ${file} ${newfile}
                                              ${COMPRESS} -9 ${newfile}
                                          done; }

function delete_old_compressed_logs() { rm -f $(find /var/log/audit/ -regextype 
posix-extended -regex '.*audit\.log\..*(xz|gz|bz2)$' | sort -n | head -n 
-${KEEP}) 2>/dev/null; }

rename_and_compress_old_logs

service auditd rotate
EV="$?"
if [ "${EV}" != 0 ]; then
     /usr/bin/logger -t auditd "FAILURE ALERT from /etc/cron.daily/auditd.cron 
'service auditd rotate' exited ABNORMALLY with exit value(${EV})."
else
     /usr/bin/logger -t auditd "cron.daily:  Successful rotation of: 
/var/log/audit/audit.log."
fi

sleep ${ROTATE_TIME}
rename_and_compress_old_logs
chmod 0600 /var/log/audit/audit.log
chmod 0400 /var/log/audit/audit.log*.${Cext}
delete_old_compressed_logs
unset FORMAT COMPRESS Cext KEEP ROTATE_TIME file timestamp newfile EV

exit 0






    On Saturday, March 18, 2023 at 10:57:23 AM EDT, Christiansen, Edward - 0992 
- MITLL <edwa...@ll.mit.edu> wrote:  
 
 I would like to know if there is a way to tell auditd to run a script or 
command after it rotates its logs.  I can do this with logrotate, but would 
much prefer something native to auditd.  I spent some toime with Google and 
found only logrotate solutions.

Thanks,

Ed Christiansen
Millstone Hill SysAdmin
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
  
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

Reply via email to