Security – Using auditd and retaining log files for 6 months.


Disclaimer: I'm not an accredited nor very experienced sysadmin but have been tasked with some sysadmin responsibilities

Task: Find a way to log all account management activities (e.g., account creation, modification, deletion, etc.) on an Ubuntu 16.04 LTS server and retain the logging information for at least 6 months.


  • The previous sysadmin had installed auditd to the system as a first step in solving this issue.

    When running:

    sudo systemctl status auditd.service

    systemd spits back that the service is successfully running and listening for events. It is my understanding that this package (auditd) is what I need to accomplish the task. The service seems to already be running and logging so where can I find and retain the log files for 6 months?

  • The file "/var/log/audit/audit.log" exists and the file is populated with audit information

  • Reading more information online about how Auditd works, I suspect the solution may be in configuring how the audit log is Rotated. I do not fully understand how rotations work but I believe log files are being Rotated when the file size reaches a certain limit and not by how much time has elapsed. I think I can configure Rotations by altering the file "/etc/audit/auditd.conf".

So, knowing these details (please ask for more information if you need it), how may I go about accomplishing the Task?

Many thanks for all the help in advance!

Best Answer

I'd use the auditd configuration steps from here:

omitting the cron part and instead using logrotate, its compression feature, and the time based retention settings. For details see man logtotate.

E.g. compress, monthly, postrotate (with command from above solution), and rotate 5.

Be careful with the interval and rotate setup, the example would lead to situations where just approx. 150 days are stored. Depending on your requirements daily/weekly with rotate 180/30 could be better.