Page 1 of 1
Cleanup of /var/asl/data/audit/
Posted: Sat Nov 16, 2013 4:44 pm
by lvalics
Hi,
On a heavy server it is filling up too quickly /var/asl/data/audit/ and I can have gigabytes of data and I see it not take empty after a while so in days I get 20-30GB. How can I cleanup? Is there a command in mod_sec or ASL ?
Re: Cleanup of /var/asl/data/audit/
Posted: Sun Nov 17, 2013 5:30 pm
by faris
Hmmm..although mine isn't big, the sheer number of files in there is causing a problem for me and I would certainly like to get control of this.
I thought this setting in /etc/asl/config might be related:
ASL_DB_RETENTION="5 days"
But it is not -- that's for the DB only from the looks of things (since I have 16 days worth in the audit directory, and given it has "DB" not "audit" in the variable name! ).
Re: Cleanup of /var/asl/data/audit/
Posted: Sun Nov 17, 2013 5:32 pm
by mikeshinn
This is the setting that controls how long the audit data is kept for WAF events:
https://www.atomicorp.com/wiki/index.ph ... LEAN_ALERT
Re: Cleanup of /var/asl/data/audit/
Posted: Mon Nov 18, 2013 2:38 pm
by faris
ooh, a new one on me. Thanks.
Re: Cleanup of /var/asl/data/audit/
Posted: Mon Apr 24, 2017 1:46 pm
by Evanion
I really wish they would store this data in a database ... the number of files is eating up our inodes...