审核不会压缩任何日志。也许这是一个配置问题。您能告诉我下面的配置中是什么原因导致的吗?
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 100
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = keep_logs
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
答案1
auditd 无法压缩自己的日志,您需要为此设置 logrotate。欲了解更多信息,请查看:
https://bgstack15.wordpress.com/2018/02/13/logrotate-audit-log-selinux-cron-and-ansible/
两者都有点过时,但你可以简单地替换service restart auditd为systemctl restart auditd
auditd.conf 所需的更改(默认情况下它会自行轮换文件,这不是我们想要的):
max_log_file = 0
max_log_file_action = ignore
logrotate 文件示例,例如/etc/logrotate.d/audit
/var/log/audit/*.log {
weekly
missingok
compress
#copytruncate
rotate 30
minsize 100k
maxsize 200M
postrotate
touch /var/log/audit/audit.log ||:
chmod 0600 /var/log/audit/audit.log ||:
service auditd restart
endscript
}