Here is what I've done to manage audit log files in systems I build.You can leverage this, and add your other things after the 'service auditd rotate'.Would that work for you? -Joe
#!/bin/bash # Reference: https://access.redhat.com/solutions/661603 PATH='/sbin:/bin:/usr/sbin:/usr/bin' # auditd log rotation -- This file located in /etc/cron.daily/auditd.cron FORMAT='+%Y%m%d_%H%M%S' # Customize timestamp format as desired, per 'man date'. COMPRESS='gzip' # Change to bzip2 or xz, if desired. Cext='gz' # Change to match file EXTENSION for the compression used. KEEP=10 # Number of compressed log files to keep. ROTATE_TIME=30 # Amount of time in seconds to wait for auditd to rotate its logs; adjust this as necessary. function rename_and_compress_old_logs() { for file in $(find /var/log/audit/ -type f -regextype posix-extended -regex '.*audit.log.[0-9]{1,}$'); do timestamp="$(ls -l --time-style=${FORMAT} ${file} | awk '{print $6}')" newfile="${file%.[0-9]}.${timestamp}" mv ${file} ${newfile} ${COMPRESS} -9 ${newfile} done; } function delete_old_compressed_logs() { rm -f $(find /var/log/audit/ -regextype posix-extended -regex '.*audit\.log\..*(xz|gz|bz2)$' | sort -n | head -n -${KEEP}) 2>/dev/null; } rename_and_compress_old_logs service auditd rotate EV="$?" if [ "${EV}" != 0 ]; then /usr/bin/logger -t auditd "FAILURE ALERT from /etc/cron.daily/auditd.cron 'service auditd rotate' exited ABNORMALLY with exit value(${EV})." else /usr/bin/logger -t auditd "cron.daily: Successful rotation of: /var/log/audit/audit.log." fi sleep ${ROTATE_TIME} rename_and_compress_old_logs chmod 0600 /var/log/audit/audit.log chmod 0400 /var/log/audit/audit.log*.${Cext} delete_old_compressed_logs unset FORMAT COMPRESS Cext KEEP ROTATE_TIME file timestamp newfile EV exit 0 On Saturday, March 18, 2023 at 10:57:23 AM EDT, Christiansen, Edward - 0992 - MITLL <edwa...@ll.mit.edu> wrote: I would like to know if there is a way to tell auditd to run a script or command after it rotates its logs. I can do this with logrotate, but would much prefer something native to auditd. I spent some toime with Google and found only logrotate solutions. Thanks, Ed Christiansen Millstone Hill SysAdmin -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
-- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit