auditdistd - audit trail file retntion

[Dan Langille]

JB via freebsd-questions wrote on 9/21/21 6:37 PM:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
>> Date: Mon, 20 Sep 2021 11:07:34 -0400
>> From: Dan Langille dan at langille.org
>> To: "freebsd-questions at freebsd.org" freebsd-questions at freebsd.org
>> Cc: Pawel Jakub Dawidek pjd at freebsd.org
>> Subject: auditdistd - audit trail file retntion
>> Hello,
>> I am using auditdistd on FreeBSD 11.4 and 12.2 - I write about audit
>> trail files retention.
>> Is there an option to dispose of older logs in /var/audit/dist ?
>>
>> So far, it seems like a custom cronjob is in order. Something like:
>>
>> ??? /usr/bin/find /var/audit/dist -type f -mtime +7 -exec rm {} \;
>>
>> FYI: I have read up about auditd, /etc/security/audit_control, and the
>> audit -e option. They do not apply to auditdistd.
>>
>> Thank you.
>>
>> Dan Langille - dan at langille.org
>> https://langille.org/
> Why not just use newsyslog to manage them for you? See newsyslog.conf(5) for details.
newsyslog is a great tool and I've used it for wide range of tasks, not 
just log files.

I use newsyslog when I can. My usual use cases include webserver logs.

The characteristics of the data helps to understand why I think 
newsyslog is not feasible here.

auditdistd does its own rotation. The current log is: 
20210920075929.not_terminated

The previous log is 20210920075923.20210920075929.

There are 457 log files for Sept 20:

$ sudo ls -l /var/audit/dist/ | grep -c ' Sep 20'
457

If I used a glob, it won't be a typical /var/audit/dist/*.log - it would 
need to be * or something more complex.

Can newsyslog duplicate the above find? That is, removing only files 
older than 7 days?

The when field may consist of an interval, a specific time, or both.

If an interval is specified, the log file will be trimmed if that many 
hours have passed since the
last rotation. I can't see new syslog doing this.

Thank you.
-- 
Dan Langille
dan at langille.org