Ubuntu

audit.log / log rotate question

Asked by Bill Lindsey

Good day,

I have an interesting thing going on with Ubuntu 20.04.

My audit.log file is looking a bit zany:

-rw-r----- 1 root adm 20 Jun 2 00:00 audit.log.1.5.gz
-r--r----- 1 root adm 508634 May 23 11:12 audit.log.1.5.gz.1.1.1.1.1
-rw-r----- 1 root adm 0 Jun 6 00:00 audit.log.1.5.gz.2.gz.1.1
-rw-r----- 1 root adm 20 May 30 00:00 audit.log.1.5.gz.2.gz.1.1.1
-rw-r----- 1 root adm 0 Jun 6 00:00 audit.log.1.5.gz.2.gz.1.1.1.1
-rw-r----- 1 root adm 20 May 26 00:00 audit.log.1.5.gz.2.gz.1.1.1.1.1
-rw-r----- 1 root adm 0 Jun 6 00:00 audit.log.1.5.gz.2.gz.2.gz

Two things going on actually. The zero-byte files I think may be caused by logrotate being called simultaneously. Not sure.

The cascading log.gz files is stumping me also.

Anyone seen this before, and any insight? Your input is greatly appreciated.

Thank you, Bill

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Can you show your logrotate configs please

Revision history for this message
Bill Lindsey (blindsey) said : 		#2

Thank you for the quick response!

Here's logrotate.conf:

# see "man logrotate" for details

# rotate log files weekly
weekly

# use the adm group by default, since this is the owning group
# of /var/log/syslog.
su root adm

# keep 4 weeks worth of backlogs
rotate 4

# create new empty log files after rotating old ones
create 0640

# use date as a suffix of the rotated file
#dateext

# uncomment this if you want your log files compressed
compress

# packages drop log rotation information into this directory
include /etc/logrotate.d

# system-specific logs may be also be configured here.

...and in logrotate.d here's the audit config:

/var/log/audit/audit.log.* {
    missingok
    notifempty
    delaycompress
    daily
    rotate 7
    compress
    copytruncate
    postrotate
        /usr/bin/systemctl kill -s SIGUSR2 auditd.service >/dev/null 2>&1 || true
    endscript
}

audit.log is the only logrotate area that has this issue.

Thank you again for taking a look at this!

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#3

May help.

https://access.redhat.com/solutions/661603

Can you help with this problem?

Provide an answer of your own, or ask Bill Lindsey for more information if necessary.

To post a message you must log in.