Audit log file rotation

Contributors netapp-pcelmer

Audit logs files are saved to an Admin Node’s /var/local/audit/export directory. The active audit log files are named audit.log.

Note Optionally, you can change the destination of audit logs and send audit information to an external syslog server. Local logs of audit records continue to be generated and stored when an external syslog server is configured. See Configure audit messages and log destinations.

Once a day, the active audit.log file is saved, and a new audit.log file is started. The name of the saved file indicates when it was saved, in the format yyyy-mm-dd.txt. If more than one audit log is created in a single day, the file names use the date the file was saved, appended by a number, in the format yyyy-mm-dd.txt.n. For example, 2018-04-15.txt and 2018-04-15.txt.1 are the first and second log files created and saved on 15 April 2018.

After a day, the saved file is compressed and renamed, in the format yyyy-mm-dd.txt.gz, which preserves the original date. Over time, this results in the consumption of storage allocated for audit logs on the Admin Node. A script monitors the audit log space consumption and deletes log files as necessary to free space in the /var/local/audit/export directory. Audit logs are deleted based on the date they were created, with the oldest being deleted first. You can monitor the script’s actions in the following file: /var/local/log/manage-audit.log.

This example shows the active audit.log file, the previous day’s file (2018-04-15.txt), and the compressed file for the prior day (2018-04-14.txt.gz).