How the audit log rotates in Security Analytics
search cancel

How the audit log rotates in Security Analytics

book

Article ID: 223656

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

Security Analytics stores system messages in the audit log.  Often these audit logs grow to very large numbers.  How these audit logs are rotated is explained below to avoid the system disks from filling up.

Resolution

The Audit Log:

  • The SA appliance runs an auditd service that writes to /var/log/audit/audit.log
  • This is a common linux service that you can read about online.  

The GUI Audit Log:

  • The gui audit log is displayed in the gui by going to Settings -> Audit Log
  • This is where you see messages such as "Audit log viewed by admin".
  • These messages are written to two different locations on the appliance.
    • They are written to /var/log/messages and to a PostgreSQL database named ds_log.
  • When you view the audit log in the GUI the messages are displayed from the ds_log database.
  • These storage locations have different rotation schemes.

Rotation schemes:

  • Every hour the the /var/log/audit/audit.log file is checked to see if it is over 500MB.
  • If it is over 500MB it is rotated.
  • 15 files are kept
  • 14 should be compressed .gz   

Example:
        /var/log/audit/audit.log
       /var/log/audit/audit.log.1.gz


GUI Audit Log aka: PostgreSQL ds_log:

  • A cron job runs everyday to keep the most recent 10,000,000 records.

/var/log/messages:

  • Every hour the the /var/log/messages file is checked to see if it is over 100MB.
  • If it is over 100MB it is rotated.
  • 5 files are kept
  • 4 should be compressed .gz

    Example:

        /var/log/messages
        /var/log/messages.1.gz

Additional Information

For more general information on using the audit log, see Auditing and monitoring system changes in Security Analytics