Bug 325561 - num_logs option is needed for keep_logs to work in /etc/auditd.conf
num_logs option is needed for keep_logs to work in /etc/auditd.conf
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: audit (Show other bugs)
4.5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-09 16:41 EDT by Calvin Smith
Modified: 2010-02-11 06:13 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0731
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 15:58:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
auditd.conf file. (452 bytes, text/plain)
2007-10-09 16:41 EDT, Calvin Smith
no flags Details

  None (edit)
Description Calvin Smith 2007-10-09 16:41:26 EDT
Description of problem:
If num_logs is disabled in /etc/auditd.conf file and max_log_file_action is set
to keep_logs, when the log file grows beyond the size of max_log_file_action the
following error goes into the log file:

Oct  9 14:22:48 node73 auditd[10776]: Last known log disappeared
(/var/log/audit/audit.log.1)
Oct  9 14:22:48 node73 auditd[10776]: Next log to use will be
/var/log/audit/audit.log.1

roughly 30 times a second. Needless to say this fills up the logfile quickly. 

audit-1.0.15-3.EL4

attached is auditd.conf file.
Comment 1 Calvin Smith 2007-10-09 16:41:26 EDT
Created attachment 221751 [details]
auditd.conf file.
Comment 2 Steve Grubb 2008-04-10 13:16:58 EDT
Easy fix, scheduling for 4.7.
Comment 3 RHEL Product and Program Management 2008-04-10 13:28:11 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Steve Grubb 2008-04-10 16:59:02 EDT
audit-1.0.16-1 was built to solve this problem.
Comment 10 errata-xmlrpc 2008-07-24 15:58:18 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0731.html
Comment 11 Ludek Dolihal 2010-01-29 05:05:12 EST
Test

Note You need to log in before you can comment on or make changes to this bug.