[Aide] I (ignore changed filename) woes
Marc Haber
mh+aide at zugschlus.de
Tue Nov 1 09:36:25 EET 2005
Hi,
On Fri, Oct 28, 2005 at 09:21:27AM +0200, Richard van den Berg wrote:
> Marc Haber wrote:
> > on my test host, I am running the CVS snapshot from October 26. I have
> > a rule
> >
> > RotatedLogs = I+n+p+i+u+g+s+b+m+c+md5+sha1+rmd160+haval+gost+crc32+tiger
>
> It could be you ran into bug number 1065184, see
> http://sourceforge.net/tracker/index.php?func=detail&aid=1065184&group_id=86976&atid=581579
>
> The following rule should work:
>
> RotatedLogs = I+n+p+i+u+g+s+b+m+md5+sha1+rmd160+haval+gost+crc32+tiger
Indeed, it does.
> > Maybe it'll help if somebody familiar with the aide code could explain
> > - in prose - how the new I setting works internally.
>
> IIRC when the I (Inode) setting checks the properties for the inode, and
> ignores changes in the filename itself.
Thanks for that explanation.
Now another problem. During the day, /var/log/syslog/syslog grows.
During log rotation, the following happens:
1) /var/log/exim4/mainlog.${n}.gz becomes /var/log/exim4/mainlog/${n+1}.gz,
for all n>2 where /var/log/exim4/mainlog.${n}.gz exists
2) /var/log/exim4/mainlog.1 is compressed to /var/log/exim4/mainlog.2.gz
3) /var/log/exim4/mainlog becomes /var/log/exim4/mainlog.1
4) /var/log/exim4/mainlog is newly created
5) syslogd is SIGHUPped and starts writing to the newly created
/var/log/exim4/mainlog
With the following rule set:
Binlib = n+p+i+u+g+s+b+m+c+md5+sha1+rmd160+haval+gost+crc32+tiger
StaticDir = n+p+i+u+g
Logs = n+p+i+u+g+S
RotatedLogs = I+n+p+i+u+g+s+b+m+md5+sha1+rmd160+haval+gost+crc32+tiger
!/var$
/var/ Binlib
/var/log$ StaticDir
/var/log Logs
/var/log/exim4/(main|reject)log\.[0-9]{1,3}\.gz$ RotatedLogs
this results in the following messages in aide --check output
added:/var/log/exim4/mainlog.2.gz
changed:/var/log/exim4/mainlog
changed:/var/log/exim4/mainlog.1
File: /var/log/exim4/mainlog
Size : 640977 , 1186967
Bcount : 1264 , 2328
Mtime : 2005-10-30 23:56:47 , 2005-11-01 07:38:16
Ctime : 2005-10-30 23:56:47 , 2005-11-01 07:38:16
Inode : 507955 , 507913
MD5 : TqZLr8Ya9UgqpUdqnHTV3w== , m3QsApRu0Q4WGedw2rzFNw==
SHA1 : 0ggPr54I/6epD8PuAZtpOheE5Po= , f9uNKcK9ARjISEC+8n/qDLaJN50=
RMD160 : +UbSvY+QglSMbQQEUOeoNJRs2Dk= , hXbSH1+jojx6AC6fHmHE6+Dg6UE=
TIGER : lowxuaZPB5qLkTFYkU3PseUYFdM0QnF0 , ftJCwB4DOkreRmmVxdpWUweezUOYmgYg
CRC32 : DVAUaQ== , rc65Sg==
HAVAL : NROCZen93zm+S3YPmTekJGfv+Uybk8GzX3fUVId, MMQHsf2WcjoimSOrOW0Db9uEU3cId8VATyC8JMX
GOST : j2T5K0RhlUoZmaRoXubsZUl4DATWZCze7803o6V, pcPASslQAGVdaFmoVjJU+ti9vHDcJfDhkLpBKPG
File: /var/log/exim4/mainlog.1
Size : 2019720 , 897671
Bcount : 3960 , 1768
Mtime : 2005-10-30 07:44:24 , 2005-10-31 07:44:05
Ctime : 2005-10-30 07:44:26 , 2005-10-31 07:44:50
Inode : 507913 , 507955
MD5 : Bh5iWKt2GnxF89Elr6jm6Q== , yWekyP/+rXvf9M0THumyww==
SHA1 : 20UFLroPKpBYoSwf9TQ+fp9G7SY= , Xj4lUaVG1OOmQFDdaVuBQ4uV/LA=
RMD160 : hNcUS+pwVW/RdSpug4scbLDI2J4= , khViSGtwfE3j0PObCG3Ta7+sESg=
TIGER : zJFxsn4I93D5O0gJgoEXo0WIbTzsyzB/ , lDWzSVSCd4FVxN7THA5eUNWfDJl8uNbR
CRC32 : YGvmBg== , TTbjOA==
HAVAL : l7xzQmHWHHHHrBjnqACUSn58Zkatmp8Otj5IkzA, Ildky6PWrYxgIws2lGOTLHFnB52+bc4+0vCzCtP
GOST : OnUGBlelAeLYGM/4lLW2QSPSV2GGuvBTXk/wZx9, S3ngjDujKm5CvkVqSK59iCOZrTyy7/3wy2aSjKR
I suspect that I can get rid of the two changed files by applying
Logs = n+p+u+g+S to mainlog and
LowLogs = n+p+u+g to mainlog.1,
but what do I do with the "new" .2.gz file? If I use
!/var/log/exim4/mainlog.2.gz, I am completely excluding the file from
the aide database and will probably get the .3.gz file flagged as new.
Is there some way to say "it's ok to have a file matching this regexp
appear, include its value to the database but do not list it"?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Aide
mailing list