• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 556
  • Last Modified:

Audit Log Retention for One Year

What changes should I make to the auditd.conf in order to retain audit logs for one year?  System is Centos 6.2.  Should I change the "max_log_file = SIZE"?  What about "max_log_file_action = keep_logs"? Does this keep logs indefinitely?
  • 2
1 Solution
DavidSenior Oracle Database AdministratorCommented:
Regrets for answering a question with a question, but it begs the obvious:  consider moving the logs periodically onto off-line storage (such as tape) rather than wasting primary resources.  And, under what conditions would you be called upon to review a year old log?

This is not my field so this link may not be useful, but consider http://www.experts-exchange.com/Storage/Backup_Restore/Q_27654713.html.
abuhaneefAuthor Commented:
There is no tape drive or external storage device available.  Review of logs may become necessary in case of security breach, system malfunction, etc.
DavidSenior Oracle Database AdministratorCommented:
1.   What do you backup to, in the event your primary system is unavailable?  If you're not backing up you have far more serious problems than a year-old log.

2.   The desire to review a breach or malfunction is understandable and commendable.  Why twelve months though?  Consider a malfunction that occurs tonight, say, a drive controller fails.  Your SA, some time in the next few days, detects the problem, researches alternatives, and hopefully makes the best choice.  SA later writes up a root cause analysis report (RCA), which may lead to scheduling drive retirement at their rated MTBF.  So, what is accomplished by studying that original syslog twelve months after it's been addressed?

Likewise a breach -- current event, detection, fix, sure.  Not catching the breach for a year?  It's time for a new SA.

To inject some humor, it's like a celebrity gossip editor pouring over last year's who's dating whom -- it's simply not relevant.

So back to my first point:  if you are backing up, then restore the logs when you need to research them.  If you're not backing up, good luck on your next job.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now