Description of problem: /var/log/audit.log Version-Release number of selected component (if applicable): audit-1.1.2-1.1 How reproducible: Always Steps to Reproduce: 1. Enable auditd to run on boot (default) 2. Wait a week 3. Notice audit.log never rotates Actual results: /var/log/audit/audit.log just grows and grows Expected results: /var/log/audit/audit.log should rotate Additional info: Signal "USR1 causes auditd to immediately rotate the logs" (from the man page), so logrotate probably shouldn't be involved. I added a small script to /etc/cron.weekly that does the trick (attached), though it may not be the most elegant solution.
Created attachment 122500 [details] cron.weekly script
The audit logs are rotated based on size rather than day of the week. The SIGUSR1 handler was added so that people could use the cron script that is shipped with the audit package: /usr/share/doc/audit-1.0.12/auditd.cron. You can install it if you want daily or weekly rotating. You would also want to set the max_log_file_action item to ignore so that the audit system doesn't rotate the files too early. Does this help?
OK. Reading the docs and config more closely, I was about 100K away from the threshold. More patience and RTFMing needed from me.