The attached patch will allow the audit system to utilize 100mb for its logs, as opposed to 20mb. Due to the sheer number of SELinux denials that we're hitting on bastion (which will be resolved after a reboot, and my patches from the previous mail), bastion is only storing 1-2 days worth of audit logs. This patch will only effect bastion, as it is currently the only machine that is configured with 'include prelude::sensor::audisp' luke
>From 6f3e644a09d15c659716f82e8af18b66d75517c1 Mon Sep 17 00:00:00 2001 From: Luke Macken <lmacken@xxxxxxxxxx> Date: Fri, 21 Nov 2008 21:11:50 +0000 Subject: [PATCH] Increase the audit log size from 20mb to 100mb. diff --git a/modules/prelude/templates/auditd.conf.erb b/modules/prelude/templates/auditd.conf.erb index 4e9d153..0c95f4a 100644 --- a/modules/prelude/templates/auditd.conf.erb +++ b/modules/prelude/templates/auditd.conf.erb @@ -8,12 +8,12 @@ log_group = sysadmin-noc priority_boost = 4 flush = none freq = 0 -num_logs = 4 +num_logs = 10 disp_qos = lossless dispatcher = /sbin/audispd name_format = numeric #name = <%= hostname %> -max_log_file = 5 +max_log_file = 10 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG -- 1.5.5.1
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
