After updating Rocky 9.2 yesterday. I didn’t pay attention to which files were updated. Today, I found that the/var/log/audit/audit.log log is very large. And after being deleted, it became very large again within an hour. I don’t know if there’s a way to turn it off
As you’ve not provided any details on the actual size of the audit.log file, how large is it?
Generally the defaults are something like log files of 8 MB each, with a maximum of 5 log files; have these and other relevant settings in /etc/audit/auditd.conf been changed?
Have you set parameters such as “max_log_file = ” to limit size of each file, specified a hard limit to the number of logs kept with “num_logs = ”, and ensured “max_log_file_action = ROTATE” etc.?
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2
I haven’t made any modifications to the content. But what I’m curious about is that this log file didn’t grow so fast before.
I changed its location to log_ File=/dev/shm/audit.log
I don’t know if there will be any unknown issues with doing so.