Audit the rule configuration is slightly inappropriate, will generate a lot of logs in a short time, so this rule configuration must be careful. When the audit log is full, you can see the following scenario:
-R--------1 root root 8388609 mar 11:47 audit.log.997-r--------1 root root 8388780 Mar 11:47 audit.log.998-r------ --1 root root 8388621 Mar 11:47 audit.log.999
Then there's a whole bunch of warning in the messages log.
2018-03-31t12:12:02.881911+08:00|warning|kernel[-]| [74525.638569] audit:audit_backlog=8193 > Audit_backlog_limit=81922018-03-31t12:12:02.881997+08:00|warning| kernel[-]| [74525.638571] audit:audit_lost=7035351 audit_rate_limit=0 audit_backlog_limit=81922018-03-31t12:12:02.882088+ 08:00|err|kernel[-]| [74525.638572] Audit:backlog limit exceeded
It may also affect the normal operation of the Rsyslog.
AUDITD itself has the function of log slicing, AUDITD use fprintf function to record log, accumulate each log of size, each write will go to check the log size, when the size of the user configured Max_log_file, it will shift _logs (This is for keep_logs this mode), the new to reach the cut score of the log named Audit.log.1, the previous log audit.log. (num+1).
Check the log, several times will also go to check the disk space is sufficient, the function used is fstatfs, to get the Audit.log file is located in the Mount partition of the space information, when the Space_left value or Admin_space_left, Or if the disk is low, the corresponding action is executed.
So since AUDITD itself has the function of log segmentation, if it is used with rsyslog, what problems will occur?
The log segmentation is accurate for logging using the Syslog function, but AUDITD is a log that is used by fprintf to log, so can it be segmented according to the configuration in Rsyslog? The answer is yes, we can do this, and in the/etc/rsyslog.conf configuration file, configure it as follows:
$outchannel audit,/var/log/audit/audit.log.tmp,2097152, Xx_log_dump. sh param1 param2
Audit represents the name of the Outchannel (not the name of the log file),/var/log/audit/ Audit.log.tmp is the name of the destination file for the log output, which is rsyslog to check the size of the file, 2097152 indicates the size threshold of the log file, Xx_log_ Dump.sh represents a script that executes after the log file arrives at a threshold, typically a dump script, separated by a space between the parameters and the program. After this configuration, Rsyslog will be/var/log/audit/from the The log is read in the Audit.log file, and then one by one is written to audit.log.tmp in Syslog, because the date information is added to the audit.log.tmp, so audit.log.tmp is slightly larger than the Audit.log file, when Audit.log.tm When P reaches 2097152 this size, it divides the audit.log into audit.log.1 and dumps the processing.
However, make sure that the value of the max_log_file configured in/etc/audit/auditd.conf is greater than the value of the Shard dump for/etc/rsyslog.conf configuration. Otherwise audit to slice, Rsyslog also come to divide, on the chaos, to audit before slicing, Rsyslog first complete the segmentation and dump.
Linux Audit Audit (4)--audit log segmentation and collaboration with Rsyslog