<div>
What flavor of Linux is this? Centos / Redhat?
</div>


<div>
is there any milage on using logrotate to manage the files?<br />
<br />
Do you need to keep the logs for a long period? If not use find to remove files older than x weeks.
</div>


<div>
We are using Redhat. and yes we need to keep the files for at least 12 months. &nbsp;We are not allowed to rotate logs because our systems are continuously being audited by the IA team. (My team)<br />
<br />
John
</div>


<div>
Could you tar the whole directory to the backup server and then remove the directory? That should be easy enough to automated.<br />
You could do that for all directories over a certain age as well (I understand you need to keep them for at least 12 months, but they would be available from the backup server for as long as you like. Is there any point to keep them online for {insert some shorter period here} though?).
</div>


<div>
You can set a logrotate to keep your logs for 12 months, assuming you have sufficient disk space. &nbsp;A tar file does not reduce the size of the data. &nbsp;You can gzip or bzip the file to reduce the size. &nbsp;You can read .tgz or .tar.gz files with ztools (zgrep, zless, zcat...) .
</div>


<div>
tar + compressor certainly does reduce file size. <b>tar | xz -T 0</b> uses all available cores to do the compression.
</div>


<div>
So went with a home brewed option Though our SAs are protesting the use of it. <br />
I ended up adding it to a script that we use to audit &nbsp;and now it looks at the log file size and if it's over a certain size will tar it, compress it and move it to the backup server, stop the service and start the service again to ensure logging starts happening again. &nbsp;I will experiment with it for a few weeks and then if it really does work I will up the size limit to 2 Gigs.<br />
<br />
I can post how I got it working in a bit.<br />
<br />
John
</div>


<div>
You are addressing the problem that <b>logrotate</b> solves. Rather than stopping and starting the <i>service</i>, logrotate renames the file then sends a signal to the <i>logger</i>. No log message can be lost that way. Your method risks losing messages unless you are proposing to stop the service before starting tar and only restart the service after tar has finished <b><u>and</u></b> you signalled the logger so it let go of the old file. If I were your SA I would insist on using logrotate.
</div>


<div>
To add to Duncan Roe's post above<br />
<br />
Use logrotate to do a daily log rotation, and automatic compression of log files, and backup all .tgz files using your backup system.
</div>


<div>
So after chatting with the SAs and going through our options we have determined based on the current STIGS for RHEL 6.5 &nbsp;and the program I work on owns contractual wording log rotation is not allowed. &nbsp;It was designed initially for each system to be audited individually and the logs manually sent to a server for archive. &nbsp;When the contract was written there were only 55 systems. &nbsp;Now there are over 500 and you can't audit all of them in 7 days manually. &nbsp;So we came up with the syslog server and that works. &nbsp;Our inspectors have reservations about it and it does bend the rules of the contract. &nbsp;We are just using a partially manual/automated way of auditing.<br />
<br />
But to get to the solution attached is what we did. &nbsp;So far we have noticed no gaps in any log data being lost or missed.<br />
<br />
let me know what you think.<br />
<br />
John<br />
<a href="https://filedb.experts-exchange.com/incoming/2018/02_w06/1269668/log_back_up_experts.txt" target="_blank" class="file-inline" title="log_back_up_experts.txt (594 bytes)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>log_back_up_experts.txt</a>
</div>


log_back_up_experts.txt

<div>
Is this really what you're running or did you type it in again? Line 3 of <i>log_back_up_experts.txt</i>: <b>AUDIT_LOGSIZE=4(STAT -C%S &quot;$LOG_FILE&quot;) </b> should of course be <b>AUDIT_LOGSIZE=<u>$</u>(STAT -C%S &quot;$LOG_FILE&quot;)</b> ($ is shift-4)<br />
Also $<b>LO<u>F</u>_FILE</b> on line 10 (F should be G).<br />
If you want us to review your code, at least publish it properly
</div>


<div>
Yeah those were typos from re-typing it. &nbsp;<br />
I feel like you, Duncan, are being a bit condescending with your comment. &nbsp;You knew what I meant, obviously, you corrected it. &nbsp;So was there a need for the little jab there? &nbsp;And you offered no insight at all. &nbsp;I explained the situation as to why log rotate is not a viable solution. &nbsp;Not that I don't want it. &nbsp;Just not allowed to have it. &nbsp;So that is the solution we came up with.
</div>


<div>
I was able to add pkill -HUP syslogd to the script and it too is now doing what I need it to do. &nbsp;I do appreciate all the help and apologize for the confusion and frustration .<br />
<br />
John
</div>


<div>
<div class="content wysiwyg-content">
So we have 544 Linux machines<br />
They all send their audit.log to the syslog server<br />
<br />
Some of the logs are getting quite big and need to be tarred/compressed and stored on the backup sever to be backed up.<br />
<br />
So I wrote a script that tells me what folders are over 1 gig<br />
du -h --max-depth=1 /mnt/rsyslog/ | grep '[0-9]G\&gt;' | sort -hr &gt;/mnt/rsyslog/audit/Over1G<wbr />.txt<br />
<br />
That gives me a listing of folders that are over 1G and outputs to the text file<br />
<br />
Currently I am having to go to each folder and tar the file to the backup server, remove the file, then remove the directory.<br />
repeat steps for next machine<br />
<br />
Is there a way to write a script that will do what I do via the script?<br />
<br />
Attached is what I do.<br />
<br />
Thanks<br />
John<br />
<a href="https://filedb.experts-exchange.com/incoming/2018/01_w04/1266251/tar_experts.txt" target="_blank" class="file-inline" title="tar_experts.txt (445 bytes)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>tar_experts.txt</a>
</div>
</div>


tar_experts.txt

So we have 544 Linux machines
They all send their audit.log to the syslog server

Some of the logs are getting quite big and need to be tarred/compressed and stored on the backup sever to be backed up.

So I wrote a script that tells me what folders are over 1 gig
du -h --max-depth=1 /mnt/rsyslog/ | grep '[0-9]G\>' | sort -hr >/mnt/rsyslog/audit/Over1G.txt

That gives me a listing of folders that are over 1G and outputs to the text file

Currently I am having to go to each folder and tar the file to the backup server, remove the file, then remove the directory.
repeat steps for next machine

Is there a way to write a script that will do what I do via the script?

Attached is what I do.

Thanks
John

Tarring files in Linux 6.5

Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.

Linux

Golang, also called Go, is an open source programming language that is a statically-typed language with syntax loosely derived from C, adding automatic memory management, type safety, some dynamic-typing capabilities, additional built-in types such as variable-length arrays and key-value maps, and a large standard library. Go is a general-purpose systems programming language that aims to be efficient both for development and execution with a focus on fast compilation and increased maintainability of large projects. Go was originally targeted at systems programming tasks such as building server/web applications, high throughput middleware and databases.