Audit Log Retention for One Year

What changes should I make to the auditd.conf in order to retain audit logs for one year?  System is Centos 6.2.  Should I change the "max_log_file = SIZE"?  What about "max_log_file_action = keep_logs"? Does this keep logs indefinitely?
abuhaneefAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DavidSenior Oracle Database AdministratorCommented:
Regrets for answering a question with a question, but it begs the obvious:  consider moving the logs periodically onto off-line storage (such as tape) rather than wasting primary resources.  And, under what conditions would you be called upon to review a year old log?

This is not my field so this link may not be useful, but consider http://www.experts-exchange.com/Storage/Backup_Restore/Q_27654713.html.
0
abuhaneefAuthor Commented:
There is no tape drive or external storage device available.  Review of logs may become necessary in case of security breach, system malfunction, etc.
0
DavidSenior Oracle Database AdministratorCommented:
1.   What do you backup to, in the event your primary system is unavailable?  If you're not backing up you have far more serious problems than a year-old log.

2.   The desire to review a breach or malfunction is understandable and commendable.  Why twelve months though?  Consider a malfunction that occurs tonight, say, a drive controller fails.  Your SA, some time in the next few days, detects the problem, researches alternatives, and hopefully makes the best choice.  SA later writes up a root cause analysis report (RCA), which may lead to scheduling drive retirement at their rated MTBF.  So, what is accomplished by studying that original syslog twelve months after it's been addressed?

Likewise a breach -- current event, detection, fix, sure.  Not catching the breach for a year?  It's time for a new SA.

To inject some humor, it's like a celebrity gossip editor pouring over last year's who's dating whom -- it's simply not relevant.

So back to my first point:  if you are backing up, then restore the logs when you need to research them.  If you're not backing up, good luck on your next job.

http://www.experts-exchange.com/Software/Misc/A_10604-The-Importance-of-a-Proper-Document-Management-and-Retention-Policy.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.