Audit log filling up diskspace
search cancel

Audit log filling up diskspace

book

Article ID: 271494

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are noticing that the /var/log directory is filling up very fast on the appliance servers after the cluster is configured. The messages file, syslog file and user.log files are growing to extremely large file sizes.

We noticed that the file rotation is configured for weekly and the file size is growing until the diskspace is 100% used.

Question: How can we avoid this, can we lower the logging level?

 

Below is the snippet of log captured

messages:

2023-07-05T05:19:43.502600+00:00  type=EOE msg=audit(1688534383.497:12510358):
2023-07-05T05:19:44.807010+00:00  type=SYSCALL msg=audit(1688534384.801:12510359): arch=c000003e syscall=59 success=yes exit=0 a0=7f8df8037400 a1=7f8df8047b00 a2=7f8df801d9d0 a3=8 items=3 ppid=3885 pid=31210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="TaniumSpawnHelp" exe="/opt/Tanium/TaniumClient/TaniumSpawnHelper" subj=unconfined key="cmd" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
2023-07-05T05:19:44.807117+00:00  type=EXECVE msg=audit(1688534384.801:12510359): argc=7 a0="/opt/Tanium/TaniumClient/TaniumSpawnHelper" a1="--chdir" a2="/opt/Tanium/TaniumClient" a3="--argv" a4="/bin/sh" a5="-c" a6="/opt/Tanium/TaniumClient/VB/TempUnix_140247660754688_3084779956_.sh"

syslog:

Jul  5 05:19:57  type=EXECVE msg=audit(1688534397.889:12510724): argc=4 a0="truncate" a1="-s" a2="100" a3="syslog"
Jul  5 05:19:57  type=EXECVE msg=audit(1688534397.889:12510725): argc=3 a0="tr" a1="-d" a2="[:cntrl:]"
Jul  5 05:19:57  type=CWD msg=audit(1688534397.889:12510724): cwd="/var/log"
Jul  5 05:19:57  type=CWD msg=audit(1688534397.889:12510725): cwd="/"
Jul  5 05:19:57  type=PATH msg=audit(1688534397.889:12510724): item=0 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:19:57  type=PATH msg=audit(1688534397.889:12510724): item=1 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:19:57  type=PATH msg=audit(1688534397.889:12510725): item=0 name="/usr/bin/tr" inode=525065 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"

 

 user.log

Jul  5 05:20:05  type=EXECVE msg=audit(1688534405.921:12510844): argc=4 a0="truncate" a1="-s" a2="100" a3="user.log"
Jul  5 05:20:05  type=CWD msg=audit(1688534405.921:12510844): cwd="/var/log"
Jul  5 05:20:05  type=PATH msg=audit(1688534405.921:12510844): item=0 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:20:05  type=PATH msg=audit(1688534405.921:12510844): item=1 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:20:05  type=PATH msg=audit(1688534405.921:12510844): item=2 name="/lib64/ld-linux-x86-64.so.2" inode=536292 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:20:05  type=PROCTITLE msg=audit(1688534405.921:12510844): proctitle=7472756E63617465002D730031303000757365722E6C6F67
Jul  5 05:20:05  type=EOE msg=audit(1688534405.921:12510844):
Jul  5 05:20:06  type=SYSCALL msg=audit(1688534406.725:12510845): arch=c000003e syscall=59 success=no exit=-2 a0=7f960f5f93b0 a1=7f95f0028680 a2=7f95e4008eb0 a3=7f96f0f99ac0 items=1 ppid=24445 pid=32083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="extension-sched" exe="/opt/SecureSpan/JDK/bin/java" subj=unconfined key="cmd" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Jul  5 05:20:06  type=CWD msg=audit(1688534406.725:12510845): cwd="/"
Jul  5 05:20:06  type=PATH msg=audit(1688534406.725:12510845): item=0 name="/usr/local/sbin/bash" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Environment

CA API Gateway 11.0

Cause

New Debian gateway 11.0 OS default values generates more logging than the previous Centos OS from gateway 10.x

Resolution

Modified the rsyslog.conf and rsyslog. 

# cat /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
        rotate 4
        maxsize 50M
        minsize 40M
        hourly
        missingok
        notifempty
        compress
        sharedscripts
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

Modified log level, rsyslog.conf attached. 

 

Attachments

1691692562075__rsyslog_conf_debian_log_level_change+_v2.txt get_app