auditd 在輪換期間不壓縮日誌

審核不壓縮任何日誌。也許這是一個配置問題。您能否告訴我在下面的配置中導致這種情況的原因是什麼？

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 100
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = keep_logs
space_left = 75
space_left_action = email
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

auditd 無法壓縮自己的日誌，您需要為此設置 logrotate。欲了解更多資訊，請查看：

https://bgstack15.wordpress.com/2018/02/13/logrotate-audit-log-selinux-cron-and-ansible/

或 https://www.stigviewer.com/stig/vmware_vrealize_operations_manager_6.x_sles/2018-10-11/finding/V-88747

兩者都略微過時，但您可以輕鬆替換service restart auditd為systemctl restart auditd

---

auditd.conf 所需的更改（預設情況下，它會自行旋轉文件，這不是我們想要的）：

max_log_file             =  0
max_log_file_action      =  ignore

一個範例 logrotate 文件，例如/etc/logrotate.d/audit

/var/log/audit/*.log {
       weekly
       missingok
       compress
       #copytruncate
       rotate 30
       minsize 100k
       maxsize 200M
       postrotate
               touch /var/log/audit/audit.log ||:
               chmod 0600 /var/log/audit/audit.log ||:
               service auditd restart
       endscript
}

引用自：https://unix.stackexchange.com/questions/596977