Linux – auditd process stops logging after logrotate script runs

auditdcentos5centos6linuxlogrotate

I am trying to use logrotate to keep audit logs for a set period of time rather than using auditd's special rotation (from /etc/audit/auditd.conf). I have changed the max_log_file_action to IGNORE in that file.

The following is my logrotate configuration:

/var/log/audit/audit.log {
    daily
    dateext
    rotate 180
    postrotate
        /bin/kill -HUP `cat /var/run/auditd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

The logs are rotated successfully. However, the audit daemon does not start logging again. /var/log/audit/audit.log remains empty until I restart the auditd service. I have also tried /bin/kill -USR1 and service auditd reload, but those options do not work well either. /bin/kill -USR1 actually keeps the audit daemon running, but it creates an empty audit.log.1 file.

Is there a way to successfully send a signal to the audit daemon to keep it running after logrotate?

Thanks.

Best Answer

I believe that your kill command is actually failing to kill the process. Try the following:

/var/log/audit/audit.log {
    daily
    dateext
    rotate 180
    postrotate
        $(/bin/kill `cat /var/run/auditd.pid 2> /dev/null`)
        service auditd restart
    endscript
}