Audit log filling up diskspace
search cancel

Audit log filling up diskspace

book

Article ID: 271494

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are noticing that the /var/log directory is filling up very fast on the appliance servers after the cluster is configured. The messages file, syslog file and user.log files are growing to huge file size.

 

We noticed that the file rotation is configured for weekly and the file size is growing until the diskspace is 100% used.

Question: How can we avoid this, can we lower the logging level?

 

Below is the snippet of log captured

messages:

2023-07-05T05:19:43.502600+00:00 p1052026  type=EOE msg=audit(1688534383.497:12510358):
2023-07-05T05:19:44.807010+00:00 p1052026  type=SYSCALL msg=audit(1688534384.801:12510359): arch=c000003e syscall=59 success=yes exit=0 a0=7f8df8037400 a1=7f8df8047b00 a2=7f8df801d9d0 a3=8 items=3 ppid=3885 pid=31210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="TaniumSpawnHelp" exe="/opt/Tanium/TaniumClient/TaniumSpawnHelper" subj=unconfined key="cmd" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
2023-07-05T05:19:44.807117+00:00 p1052026 type=EXECVE msg=audit(1688534384.801:12510359): argc=7 a0="/opt/Tanium/TaniumClient/TaniumSpawnHelper" a1="--chdir" a2="/opt/Tanium/TaniumClient" a3="--argv" a4="/bin/sh" a5="-c" a6="/opt/Tanium/TaniumClient/VB/TempUnix_140247660754688_3084779956_.sh"

syslog:

Jul  5 05:19:57 p1052026  type=EXECVE msg=audit(1688534397.889:12510724): argc=4 a0="truncate" a1="-s" a2="100" a3="syslog"
Jul  5 05:19:57 p1052026  type=EXECVE msg=audit(1688534397.889:12510725): argc=3 a0="tr" a1="-d" a2="[:cntrl:]"
Jul  5 05:19:57 p1052026  type=CWD msg=audit(1688534397.889:12510724): cwd="/var/log"
Jul  5 05:19:57 p1052026  type=CWD msg=audit(1688534397.889:12510725): cwd="/"
Jul  5 05:19:57 p1052026  type=PATH msg=audit(1688534397.889:12510724): item=0 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:19:57 p1052026  type=PATH msg=audit(1688534397.889:12510724): item=1 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:19:57 p1052026  type=PATH msg=audit(1688534397.889:12510725): item=0 name="/usr/bin/tr" inode=525065 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"

 

 user.log

Jul  5 05:20:05 p1052026  type=EXECVE msg=audit(1688534405.921:12510844): argc=4 a0="truncate" a1="-s" a2="100" a3="user.log"
Jul  5 05:20:05 p1052026  type=CWD msg=audit(1688534405.921:12510844): cwd="/var/log"
Jul  5 05:20:05 p1052026  type=PATH msg=audit(1688534405.921:12510844): item=0 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:20:05 p1052026  type=PATH msg=audit(1688534405.921:12510844): item=1 name="/usr/bin/truncate" inode=525067 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:20:05 p1052026  type=PATH msg=audit(1688534405.921:12510844): item=2 name="/lib64/ld-linux-x86-64.so.2" inode=536292 dev=fe:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"
Jul  5 05:20:05 p1052026  type=PROCTITLE msg=audit(1688534405.921:12510844): proctitle=7472756E63617465002D730031303000757365722E6C6F67
Jul  5 05:20:05 p1052026  type=EOE msg=audit(1688534405.921:12510844):
Jul  5 05:20:06 p1052026  type=SYSCALL msg=audit(1688534406.725:12510845): arch=c000003e syscall=59 success=no exit=-2 a0=7f960f5f93b0 a1=7f95f0028680 a2=7f95e4008eb0 a3=7f96f0f99ac0 items=1 ppid=24445 pid=32083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="extension-sched" exe="/opt/SecureSpan/JDK/bin/java" subj=unconfined key="cmd" ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Jul  5 05:20:06 p1052026  type=CWD msg=audit(1688534406.725:12510845): cwd="/"
Jul  5 05:20:06 p1052026  type=PATH msg=audit(1688534406.725:12510845): item=0 name="/usr/local/sbin/bash" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Environment

Release : 11.0

Cause

New Debian OS default created more log data than old OS in 10.x.  

Resolution

Modified the rsyslog.conf and rsyslog. 

# cat /etc/logrotate.d/rsyslog
/var/log/syslog
/var/log/mail.info
/var/log/mail.warn
/var/log/mail.err
/var/log/mail.log
/var/log/daemon.log
/var/log/kern.log
/var/log/auth.log
/var/log/user.log
/var/log/lpr.log
/var/log/cron.log
/var/log/debug
/var/log/messages
{
        rotate 4
        maxsize 50M
        minsize 40M
        hourly
        missingok
        notifempty
        compress
        sharedscripts
        postrotate
                /usr/lib/rsyslog/rsyslog-rotate
        endscript
}

Modified log level, rsyslog.conf attached. 

 

Attachments

1691692562075__rsyslog_conf_debian_log_level_change+_v2.txt get_app