Audit logs disappeared

MechWright

New Member
Credits
52
I set up an audit trail to our company's Linux system in June 2020. It seemed to work fine. Now, in the verge of a new year, I decided to check whether
the auditing has been working as expected. To my surprise, ausearch:ing only finds matches from about last two weeks!
For example,
sudo ausearch -ts 07/01/2020 -te 12/14/2020
gives the laconic reply
<no matches>.
sudo ausearch -ts 12/15/2020 -te 12/30/2020
finds quite a few matches (as expected), starting from 16th of December.
Nor can the audit log files be found in /var/log/audit/.
Are they archived somewhere? What is happening?
 


jglen490

Well-Known Member
Credits
4,106
Depending on the specific distro, there may be a log rotation setting that initiates a new log (daily, weekly) and only retains the old ones for a specified period. I would recommend going to the forum for your specific distro, and ask what the logrotation parameter/setting is.
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Members online


Top