Red Hat Bugzilla – Bug 325561
num_logs option is needed for keep_logs to work in /etc/auditd.conf
Last modified: 2010-02-11 06:13:10 EST
Description of problem:
If num_logs is disabled in /etc/auditd.conf file and max_log_file_action is set
to keep_logs, when the log file grows beyond the size of max_log_file_action the
following error goes into the log file:
Oct 9 14:22:48 node73 auditd: Last known log disappeared
Oct 9 14:22:48 node73 auditd: Next log to use will be
roughly 30 times a second. Needless to say this fills up the logfile quickly.
attached is auditd.conf file.
Created attachment 221751 [details]
Easy fix, scheduling for 4.7.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
audit-1.0.16-1 was built to solve this problem.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.