Open coretemp opened 6 years ago
@coretemp I'm assuming you setup rsyslog or something? Coming from any other distro this can be a bit of a surprise when you see logs continually grow...
Generally the answer is that applications should be switched to log to journald, but in the case of rsyslog obviously that isn't the answer.
I'm putting some thought into this, hopefully for 19.03
https://discourse.nixos.org/t/nixos-19-03-feature-freeze/1950/6?u=aanderse
Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
This issue remains in version 24.05.
The auditd service enabled by security.auditd.enable
is shipped without a config file (Config file /etc/audit/auditd.conf doesn't exist, skipping
). As a result, it outputs logs to the default path /var/log/audit/audit.log
without any log rotation, which will take up a lot of disk space over time.
Additionally, there are no other options available for auditd except enable
to change its behavior.
without any log rotation
as far as i understand the log will be rotated at something like 6mb (according to upstream docs and RHEL sources i searched)
that being said, though, this module could benefit from a settings
option which allows the user to more easily configure the software
@ljxfstorm do you use this nixos module? and are you interested in enhancing it?
I have a continuously running VPS on NixOS 23.11 with security.auditd.enable = true
since November 2023, and I found that the /var/log/audit/audit.log
took up over 10GB last week after I upgraded it to 24.05. That's why I brought up this issue.
If I'm not misunderstanding, according to src/auditd-event.c@audit-3.1.2, log rotation will occur only when config->num_logs > 1
, and according to src/auditd-config.c@audit-3.1.2, the default value of config->num_logs
is 0L
. Therefore, the default action of auditd
without a config file is no log rotation, and it's barely usable.
@ljxfstorm do you use this nixos module? and are you interested in enhancing it?
I'm not a heavy Nix user; I use NixOS as an easy-to-migrate solution for VPS and am not capable of contributing to nixpkgs
currently. Maybe I'll enhance it someday, but I'm hoping someone can fix it sooner.
thanks for the info
leave it with me, i'll try to put this at a reasonable priority on my queue
i had a chance to look into this a little bit the other night
the audit
package has had a major version bump and appears to require a few changes... i suggest we entirely overhaul the services.audit
and services.auditd
modules and merge them into one when we do the major version bump... but this is probably a bit of a bigger job and requires more expertise with the audit
stack than i currently have
so what do we do in the meantime? at this very moment i suggest you add this configuration to your server:
{ config, pkgs, lib, ... }:
{
environment.etc."audit/auditd.conf".text = ''
num_logs = 5
'';
}
and then restart the auditd
service
so who has experience with auditd
in the 4.x
series of releases? :thinking:
I've tried setting up logrotate
but set it to a week and don't know if it'll work yet.
I don't know how easy it is but adding a simple Wiki page on how to setup auditd
with logrotate
could be an idea?
I've tried setting up
logrotate
but set it to a week and don't know if it'll work yet.
great, let's see what happens
did you use SIGHUP
as described by the upstream documentation?
I don't know how easy it is but adding a simple Wiki page on how to setup
auditd
withlogrotate
could be an idea?
fantastic idea! are you willing to put your findings on http://wiki.nixos.org/?
Issue description
It seems that the NixOS module doesn't export an option to configure rotation of
/var/log/audit/audit.log
in order to avoid server crashes due to out of disk space errors (or to use something different than the default (which on Red Hat apparently is 6MB)). Is that correct?Technical details
Any NixOS version