• We had to restore from a backup today after a failed software update. Backup was from 0000 EDT and restored it at 0800 EDT so we lost about 8hrs. Today is 07/20/2024. More info here.

Audit logs disappeared


New Member
Jun 2, 2020
Reaction score
I set up an audit trail to our company's Linux system in June 2020. It seemed to work fine. Now, in the verge of a new year, I decided to check whether
the auditing has been working as expected. To my surprise, ausearch:ing only finds matches from about last two weeks!
For example,
sudo ausearch -ts 07/01/2020 -te 12/14/2020
gives the laconic reply
<no matches>.
sudo ausearch -ts 12/15/2020 -te 12/30/2020
finds quite a few matches (as expected), starting from 16th of December.
Nor can the audit log files be found in /var/log/audit/.
Are they archived somewhere? What is happening?

Depending on the specific distro, there may be a log rotation setting that initiates a new log (daily, weekly) and only retains the old ones for a specified period. I would recommend going to the forum for your specific distro, and ask what the logrotation parameter/setting is.