Bug 130071 (IT_66339) - laus creates an ever-increasing (and never rotated/deleted) set of logfiles
Summary: laus creates an ever-increasing (and never rotated/deleted) set of logfiles
Alias: IT_66339
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: laus
Version: 3.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact: Jay Turner
URL: http://ltp.sourceforge.net/docs/rheal...
Depends On:
Blocks: 132991
TreeView+ depends on / blocked
Reported: 2004-08-16 20:36 UTC by John Caruso
Modified: 2015-01-08 00:08 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-05-20 03:25:51 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:219 normal SHIPPED_LIVE laus bug fix update 2005-05-19 04:00:00 UTC

Description John Caruso 2004-08-16 20:36:46 UTC
Description of problem:
By default, the audit system (laus) on RHEL3 produces an ever-
increasing set of save files (/var/log/audit.d/save.X) which are 
never rotated/deleted.  This is apparently by design, as per the URL 
cited above.  RedHat should consider modifying the distributed 
audit.conf file to rectify this issue.

I consider this a bug rather than an enhancement request because it 
could potentially result in a system with a default RedHat 
installation filling up its disks.  There are several workarounds, 
but RedHat as distributed should take care of rotating/controlling 
its own logfiles.

Version-Release number of selected component (if applicable):

How reproducible:
Perform a default installation of laus.

Comment 1 Sebastien BLAISOT 2004-09-10 14:20:22 UTC
same problem here. (RHEL 3.0 ES Update 3)

With a heavy loaded machine, a 5 GB /var was full in a few hours.
after the /var filesystem is full, unable to log in, and when
rebooting (with CTRL-ALT-DEL on console), had messages saying /var was
unmountable and busy.

Comment 2 Charlie Bennett 2004-09-13 20:30:16 UTC
Hi - I think we can mitigate this by writing a shim to sit between
audit.conf and audbin.  I'll post a test copy here when I get a few
cycles to get something tidy.

Comment 4 Joe Orton 2004-10-15 15:43:35 UTC
# du -sh /var/log/audit.d/
7.5G    /var/log/audit.d

this is *really* horrible considering that audit is on by default in
fresh installs.  At least, can't we add a tmpwatch run for this directory?

Comment 5 John Caruso 2004-10-15 18:43:00 UTC
Since people are having real problems with this: a workaround for 
this bug (described at 
http://ltp.sourceforge.net/docs/rheal3cu.html#Header_59) is to 
replace the "notify" command in /etc/audit/audit.conf 
with "notify=/bin/true".  We've been forced to do this on our 
systems, and it appears to be working as a stopgap way to address the 

Comment 7 Jason Vas Dias 2005-02-24 18:14:38 UTC
This bug is now fixed in laus-0.1-67RHEL3, which should be in 
RHEL-3-U5, and which meanwhile can be downloaded from:

'/usr/sbin/audbin' now has -T and -N options:

-T <threshold>
Specify  the  threshold  of  free  blocks  on the -S destination
filesystem that cannot be exceeded .  <threshold> must be a dec-
imal  number,  with  optional  fraction.   <threshold>  can be a
expressed as a percentage, in which case it must  end  with  the
â%â character.
-T 15000
Do  not  allow  the  number of free blocks on the -S destination
filesystem to fall below 15000 .
-T 20% Do not allow the number of free blocks  on the -S  desti-
nation  filesystem  to fall below 20% of the total blocks on the
If the  -N  option  is  not  specified,  and  the  threshold  is
exceeded,  audbin  will  return  an  error to auditd causing the
âoutput { error {â action specified in  audit.conf  to  be  exe-

-N <notify command>
If  the  -T threshold is going to be exceeded by creation of the
-S destination file, then the <notify command> will be run.
Occurences of the  string  %f  within  the  notify  command  are
replaced  by  the  path of the oldest file in the -S destination
-S /var/log/audit.d/save.%u -T 20% -N âmv %f /backupâ
will, when creation  of  the  new  /var/log/audit.d/save.N  file
would  cause the free blocks on the /var filesystem to amount to
less than 20% of the total  blocks,  move  the  oldest  file  in
/var/log/audit.d  with  a  name  prefixed by âsave.â to /backup,
before attempting to create the new save.N file. If the  thresh-
old is still exceeded, the command is repeated for the next old-
est file until the disk usage is within the threshold .
If the -N command should fail (eg. in the example above, if  the
/backup filesystem is full), then audbin will return an error to
auditd causing the  âoutput  {  error  {â  action  specified  in
audit.conf to be executed.

The default audit.conf now has a notify command of:
notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T

By default, this will make auditd enter "suspend mode" when the 
number of free blocks on the /var filesystem is less than 20% of the
total blocks.
Users should implement their rotation / backup policy by adding a 
'-N' option to the audbin notify command, or change the default
'output { error { action' to be something other than suspend.

Comment 8 Dennis Gregorovic 2005-05-20 03:25:51 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.