The default audit log rotation, as it shows up on my brand-fresh F15 system, is: num_logs = 4 max_log_file = 5 max_log_file_action = ROTATE That means that at most ~20MiB of logs will be kept. If something interesting (i.e. an active attack) is happening on a system, I'd expect that to result in losing the beginnings of the problem very quickly. Just seems an unfortunate choice, although I'm sure there could be reasons I'm not aware of. -Robin
I am well aware of that. Just as you want more than 20Mb by default, there are people that don't want to waste 5 Mb on the audit logs. So, what do I do? I might bump it up to 30Mb and see if I get complaints to make it smaller, but everyone has different needs.
0.o Seems to me that if you can't spare 5 MiB, you are on a system so small that managing the config is *required*. Anyways, thanks for listening; I'm not going to throw a fit or anything, I just wanted to point it out. -Robin
For what little it's worth, my solution was to turn off in-auditd rotation entirely and do daily rotation with logrotate and a restart, but I imagine that's far more likely to lose a message or two, and that the default needs to be something that is very very unlikely to ever do that. -Robin
Config updated: https://fedorahosted.org/audit/changeset/558
audit-2.1.3-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/audit-2.1.3-1.fc15
Package audit-2.1.3-1.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing audit-2.1.3-1.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/audit-2.1.3-1.fc15 then log in and leave karma (feedback).
audit-2.1.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.