auditd writes logs to / var / log / audit /, as it reaches the maximum log size, it is rotated. How can you unambiguously determine that a binary file has been applied to the / var / log / audit / folder, which /var/log/audit/audit.log.1 made from /var/log/audit/audit.log?
1 answer
apparently on the line - no way. You can compare and find out indirectly:
cat / var / log / messages | grep rotat
there will be messages about rotation of some (not specific!) log by the auditd daemon, pay attention to the date / time
Further:
head -n 5 /var/log/audit.log | ausearch -f -i --start today
there will be a message about some event, the date / time of this event should coincide with the rotate time
Sebastian pereiro sebastian pereiro
60 7
|