From: "Christiansen, Edward - 0992 - MITLL" <edwardc@ll.mit.edu>
To: "burn@swtf.dyndns.org" <burn@swtf.dyndns.org>,
"linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: RE: run script after auditd rotates logs
Date: Mon, 20 Mar 2023 13:04:12 +0000 [thread overview]
Message-ID: <BN0P110MB1210BC43B748D8E40905B6699C809@BN0P110MB1210.NAMP110.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <c1a23e6bbb140660a5de48f89e9b8b7723d66ea8.camel@iinet.net.au>
[-- Attachment #1.1.1: Type: text/plain, Size: 1330 bytes --]
Thanks. This is definitely the info I was looking for.
From: Burn Alting <burn.alting@iinet.net.au>
Sent: Saturday, March 18, 2023 9:26 PM
To: Christiansen, Edward - 0992 - MITLL <edwardc@ll.mit.edu>;
linux-audit@redhat.com
Subject: Re: run script after auditd rotates logs
Ed,
One indirect way of achieving this is to author a script that
- sends SIGUSR1 to the auditd process (which causes auditd to immediately
rotate the logs. It will consult the max_log_file_action to see if it should
keep the logs or not.)
- do whatever you need to do with the rolled over audit.log files
Clearly you only have access to the rolled over log files (given that's what
you want).
Rgds
On Sat, 2023-03-18 at 14:36 +0000, Christiansen, Edward - 0992 - MITLL wrote:
I would like to know if there is a way to tell auditd to run a script or
command after it rotates its logs. I can do this with logrotate, but would
much prefer something native to auditd. I spent some toime with Google and
found only logrotate solutions.
Thanks,
Ed Christiansen
Millstone Hill SysAdmin
--
Linux-audit mailing list
<mailto:Linux-audit@redhat.com>
Linux-audit@redhat.com <mailto:Linux-audit@redhat.com>
<https://listman.redhat.com/mailman/listinfo/linux-audit>
https://listman.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.1.2: Type: text/html, Size: 7996 bytes --]
[-- Attachment #1.2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5669 bytes --]
[-- Attachment #2: Type: text/plain, Size: 107 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
prev parent reply other threads:[~2023-03-20 13:04 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-18 14:36 run script after auditd rotates logs Christiansen, Edward - 0992 - MITLL
2023-03-19 1:25 ` Burn Alting
2023-03-20 13:04 ` Christiansen, Edward - 0992 - MITLL [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BN0P110MB1210BC43B748D8E40905B6699C809@BN0P110MB1210.NAMP110.PROD.OUTLOOK.COM \
--to=edwardc@ll.mit.edu \
--cc=burn@swtf.dyndns.org \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).