Audit log file rotation

Audit logs files are saved to an Admin Node’s /var/local/audit/export directory. The active audit log files are named audit.log.

Once a day, the active audit.log file is saved, and a new audit.log file is started. The name of the saved file indicates when it was saved, in the format yyyy-mm-dd.txt. If more than one audit log is created in a single day, the file names use the date the file was saved, appended by a number, in the format yyyy-mm-dd.txt.n. For example, 2018-04-15.txt and 2018-04-15.txt.1 are the first and second log files created and saved on 15 April 2018.

After a day, the saved file is compressed and renamed, in the format yyyy-mm-dd.txt.gz, which preserves the original date. Over time, this results in the consumption of storage allocated for audit logs on the Admin Node. A script monitors the audit log space consumption and deletes log files as necessary to free space in the /var/local/audit/export directory. Audit logs are deleted based on the date they were created, with the oldest being deleted first. You can monitor the script's actions in the manage-audit.log file.

This example shows the active audit.log file, the previous day's file (2018-04-15.txt), and the compressed file for the prior day (2018-04-14.txt.gz).