I am trying to use logrotate to keep audit logs for a set period of time rather than using auditd's special rotation (from /etc/audit/auditd.conf
). I have changed the max_log_file_action
to IGNORE
in that file.
The following is my logrotate configuration:
/var/log/audit/audit.log {
daily
dateext
rotate 180
postrotate
/bin/kill -HUP `cat /var/run/auditd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
The logs are rotated successfully. However, the audit daemon does not start logging again. /var/log/audit/audit.log
remains empty until I restart the auditd service. I have also tried /bin/kill -USR1
and service auditd reload
, but those options do not work well either. /bin/kill -USR1
actually keeps the audit daemon running, but it creates an empty audit.log.1
file.
Is there a way to successfully send a signal to the audit daemon to keep it running after logrotate?
Thanks.
Best Answer
I believe that your kill command is actually failing to kill the process. Try the following: