The Audit Log:
- The SA appliance runs an auditd service that writes to /var/log/audit/audit.log
- This is a common linux service that you can read about online.
The GUI Audit Log:
- The gui audit log is displayed in the gui by going to Settings -> Audit Log
- This is where you see messages such as "Audit log viewed by admin".
- These messages are written to two different locations on the appliance.
- They are written to /var/log/messages and to a PostgreSQL database named ds_log.
- When you view the audit log in the GUI the messages are displayed from the ds_log database.
- These storage locations have different rotation schemes.
Rotation schemes:
- Every hour the the /var/log/audit/audit.log file is checked to see if it is over 500MB.
- If it is over 500MB it is rotated.
- 15 files are kept
- 14 should be compressed .gz
Example:
/var/log/audit/audit.log
/var/log/audit/audit.log.1.gz
GUI Audit Log aka: PostgreSQL ds_log:
- A cron job runs everyday to keep the most recent 10,000,000 records.
/var/log/messages:
- Every hour the the /var/log/messages file is checked to see if it is over 100MB.
- If it is over 100MB it is rotated.
- 5 files are kept
- 4 should be compressed .gz
Example:
/var/log/messages
/var/log/messages.1.gz